cookies and internet
Thu Jul 12 20:53:29 CEST 2001
At 19:04 12/07/01, wrote:
>The cookie is not sent in the clear!
>Not since open source erlang anyway. The cookie may be generated or pasted in
>by hand either in the .erlang.cookie file or from the command line
>When a node connectes with another node, a challenge is sent from the node
>Then it expects the challenge+cookie md5 sum as return (i.e not in the clear).
>After that the connection is ready to be hijacked ;-)
Oops. I should have looked more closely. That's good to hear
(theoretically, one ought to use a proper MAC, but in this case, a keyed
hash should serve well enough). Is the cookie generation also fixed? Last
I saw, it was pretty ridiculously weak (although one could always generate
it oneself, outside of erlang), but again, I didn't delve into the details,
and certainly not recently.
>I hope we soon can run distribution over SSL.
Is there such a version of erlang available? I'd be interested.
>>I've been intending to implement a simple version of cryptographically
>>secured communications for Erlang/OTP, but haven't found the time. If
>>someone else is working on this (or wants to), then I'd be happy to share
>>my ideas. There are some subtle problems involved in setting up such a scheme.
>>I hope this helps.
>I think SSL is the simple way forward.
Maybe. The SSL code is widely available, and the protocol is well
analysed. These are definite pluses. The minuses are that SSL is
horrendously complex (and early versions of the protocol were flawed, for
that very reason), and it is easy to misconfigure, and it usually requires
an expensive setup (perhaps overly expensive for something like erlang,
where a node coming up may want to make connections to a large number of
other nodes at the same time). Note that since erlang nodes only talk to
other compatible erlang nodes via their distribution mechanism, there is no
requirement that the distribution mechanism be "standards compliant"; thus
it would be reasonable to use a simpler protocol.
Thanks, and sorry about the misinformation,
More information about the erlang-questions