[erlang-questions] wow: MD5 broken

Michael Regen michael.regen@REDACTED
Wed Dec 5 21:20:36 CET 2007


On Dec 3, 2007 1:30 PM, Michael Regen <michael.regen@REDACTED> wrote:

> On Dec 3, 2007 11:07 AM, Per Hedeland <per@REDACTED> wrote:
>
> > Then again, everyone seems to think that the
> > Erlang distribution is inherently unsafe anyway (for reasons that aren't
> >
> > obvious to me at least)...
> >
> > --Per Hedeland
> >
>
> I can just talk about myself. And I simply do not know whether it is safe
> or not. I have not seen any reviews of it, neither bad nor good ones and I
> assume that its ability to withstand attacks is not tested much because I
> assume that most Erlang nodes are operated in a safe environment. Remember,
> even OpenSSH had it's troubles. One of the design goals of OpenSSH was to
> operate it in the wild. I do not know whether this was also one of the
> design goals of Erlang distribution. I tend to deny this since I read
> distribution_handshake.txt ("This is not entirelly safe, as it is vulnerable
> against takeover attacks, but it is a tradeoff between fair safety and
> performance.").
> Erlang SSL distribution is currently broken. You cannot control which IP
> address epmd binds to...
>
> I think in the area of IT security you have to choose the defensive
> approach. You need a proof or very good hints that something is secure
> before you can assume it to be secure. Therefore I handle Erlang
> distribution as if it were unsafe.
>
> By the way I am only referring to open source Erlang. I cannot say
> anything about the commercial version of Erlang.
>
> Cheers,
> Michael
>
> Maybe already a bit off topic, however: The most simple form of a denial
of service attack consists of sending the bytes 0x00, 0x01, 0x6B to your
epmd port causing epmd to shut down, rendering all nodes on this system
unavailable for subsequent connection attempts of new distributed nodes.
Established connections are not affected, I think.

Heart does not help here. Also restarting epmd does not help except you find
a way to re-register your running nodes to epmd (which is possible I guess).


Cheers,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20071205/66e6b8e5/attachment.htm>


More information about the erlang-questions mailing list