[erlang-questions] security concerns

[John Kemp]

On 04/04/2014 08:10 AM, Arif Ishaq wrote:
> I just saw a post by Carlos-Trigoso on the security, or rather lack
> thereof in Erlang
> (http://carlos-trigoso.com/2014/03/04/security-taken-lightly/) .
>
> It seems like a fair evaluation.

I would suggest that it is _not_ a fair evaluation.

As Loïc mentioned, name any language or OS environment that does 
something like what the author suggests for Erlang?

But more than that, why would protocols for connecting nodes inside of a 
network be the same as protocols used between data-centres, particularly 
when connections between data centres will possibly go across networks 
not owned by the owner of the data centres?

The cookie mechanism used by Erlang seems perfectly fine within the 
context of a local network. If the threat is that an attacker could 
bring up a "rogue" node which was able to talk to the valid nodes, that 
attacker would first have to compromise the Erlang cookie value from 
another node on the network, at which point, you probably have worse 
problems than Erlang interconnection ones. Hypervisor security (in a 
virtualized environment) and standard network firewalling should take 
care of this.

Perhaps there is some specific security threat there, but the author 
certainly doesn't mention it in any detail.

As for across data centres, I would suggest that the common protocols 
for talking across insecure networks are used, for which TLS/SSL 
transport encryption is a very good suggestion from Fred.

Any protocol you use in a high-latency, lossy connection should in any 
case likely be different than a protocol for low-latency, lossless 
communication between local nodes.

- johnk

> Is there anything in the making to
> improve on it?
>
> Thanks and best regards
>
> Arif
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>