[erlang-questions] Erlang cookies are secure

Chandru chandrashekhar.mullaparthi@REDACTED
Fri Jun 10 10:19:32 CEST 2016


Hi Lyn,

There are several problems with Erlang's distribution model from a security
standpoint. For e.g. if a host which has access to inter-node comms is
compromised, it can sniff the cookie out and then establish connections to
any node in the Erlang cluster.

Okay, so you change distribution to use TLS so one cannot sniff cookies.
But now imagine that someone got access to just one of the boxes in an
Erlang cluster. The entire cluster is now open for abuse because there is
no access control mechanism within distributed erlang. There is no audit
log of which node connected when, what commands were executed, nothing at
all. Even os:cmd/1 is available for executing anything as that user on the
box.

Distributed erlang assumes that the cluster is operating in a secure
environment which may not always satisfy the requirements. For e.g. if you
are building something in Erlang and you want it to be PCIDSS [1]
compliant, you will want to turn off distributed erlang on that node
because the combination of the openness of an Erlang cluster combined with
its tracing capabilities means that anyone with access to a single node in
a cluster can trace and capture data flowing through code handling credit
card transactions.

regards,
Chandru

[1] http://www.theukcardsassociation.org.uk/security/what_is_PCI%20DSS.asp


On 9 June 2016 at 21:20, Lyn Headley <lheadley@REDACTED> wrote:

> I don't understand why so many people are so dismissive of
> cookie-based node security. Here's what Fred Hebert wrote, for
> example:
>
> "While documents like the official Erlang documentation put cookies
> under the topic of security, they're really not security at all. If it
> is, it has to be seen as a joke, because there's no way anybody
> serious considers the cookie a safe thing. Why? Simply because the
> cookie is a little unique value that must be shared between nodes to
> allow them to connect together. They're closer to the idea of user
> names than passwords and I'm pretty sure nobody would consider having
> a username (and nothing else) as a security feature. Cookies make way
> more sense as a mechanism used to divide clusters of nodes than as an
> authentication mechanism."
>
> In opposition to this extremely widespread sentiment, I believe that:
>
> 1) It is feasible to create an unguessable cookie.
> 2) It is feasible to prevent outsiders from seeing the cookie's value.
>
> Therefore attackers cannot take over my node by compromising my cookie.
>
> Where is the flaw in my reasoning?
>
> Lyn Headley
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160610/8eafe2db/attachment.htm>


More information about the erlang-questions mailing list