[erlang-questions] Erlang cookies are secure

Technion technion@REDACTED
Fri Jun 10 08:40:00 CEST 2016

One thing here is that a cookie has to be constant across an environment.

It's not easy to rotate it by tackling a few nodes at a time, and you can't define a new username, roll it out, and disable the old one later. As far as I know, it's always transferred in cleartext, and doesn't authenticate who it is being given to.

By modern security standards, it's very poor. But I also agree, the mere use cookies, from an outside attacker, is still a mile ahead of authenticated access, unless I'm missing something.

From: erlang-questions-bounces@REDACTED <erlang-questions-bounces@REDACTED> on behalf of zxq9 <zxq9@REDACTED>
Sent: Friday, 10 June 2016 2:33:25 PM
To: erlang-questions@REDACTED
Subject: Re: [erlang-questions] Erlang cookies are secure

On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:
> Hi!
> In the event that the cookie is your only security, what do you do
> when your cookie gets out?
> Event if you cookie is not guessable, there is still a chance that
> through malicious act or human error a trusted person within your
> organisation shares your cookie with others. I've not got the evidence
> to hand, but while preparing for security audits at a previous
> workplace our trainer told us that most security breaches are due to
> the actions of people within the organisation rather than outside of
> it. This seems very plausible to me.

People are almost always easier to manipulate or catch in error than
systems are to crack through exploitation of technical flaws.

How is this not exactly the same as a password? Or AWS credentials?
Or a secret key? Or any other of a host of similar schemes?

erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160610/2fff12d9/attachment.htm>

More information about the erlang-questions mailing list