[erlang-questions] security concerns
Fri Apr 4 14:48:19 CEST 2014
On 04/04/2014 08:10 AM, Arif Ishaq wrote:
> I just saw a post by Carlos-Trigoso on the security, or rather lack
> thereof in Erlang
> (http://carlos-trigoso.com/2014/03/04/security-taken-lightly/) .
> It seems like a fair evaluation.
I would suggest that it is _not_ a fair evaluation.
As Loïc mentioned, name any language or OS environment that does
something like what the author suggests for Erlang?
But more than that, why would protocols for connecting nodes inside of a
network be the same as protocols used between data-centres, particularly
when connections between data centres will possibly go across networks
not owned by the owner of the data centres?
The cookie mechanism used by Erlang seems perfectly fine within the
context of a local network. If the threat is that an attacker could
bring up a "rogue" node which was able to talk to the valid nodes, that
attacker would first have to compromise the Erlang cookie value from
another node on the network, at which point, you probably have worse
problems than Erlang interconnection ones. Hypervisor security (in a
virtualized environment) and standard network firewalling should take
care of this.
Perhaps there is some specific security threat there, but the author
certainly doesn't mention it in any detail.
As for across data centres, I would suggest that the common protocols
for talking across insecure networks are used, for which TLS/SSL
transport encryption is a very good suggestion from Fred.
Any protocol you use in a high-latency, lossy connection should in any
case likely be different than a protocol for low-latency, lossless
communication between local nodes.
> Is there anything in the making to
> improve on it?
> Thanks and best regards
> erlang-questions mailing list
More information about the erlang-questions