[erlang-questions] Erlang cookies are secure

Tony Rogvall tony@REDACTED
Fri Jun 10 12:14:09 CEST 2016


Hi Chandru.

I am not sure what you mean by sniff cookies?

The distribution has been sending blank cookies since first open source release.
The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
at connection setup.

So Erlang is more likely to be vulnerable to connection hijacking since not every message
is signed.

So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

/Tony

> On 10 jun 2016, at 10:19, Chandru <chandrashekhar.mullaparthi@REDACTED> wrote:
> 
> Hi Lyn,
> 
> There are several problems with Erlang's distribution model from a security standpoint. For e.g. if a host which has access to inter-node comms is compromised, it can sniff the cookie out and then establish connections to any node in the Erlang cluster.
> 
> Okay, so you change distribution to use TLS so one cannot sniff cookies. But now imagine that someone got access to just one of the boxes in an Erlang cluster. The entire cluster is now open for abuse because there is no access control mechanism within distributed erlang. There is no audit log of which node connected when, what commands were executed, nothing at all. Even os:cmd/1 is available for executing anything as that user on the box.
> 
> Distributed erlang assumes that the cluster is operating in a secure environment which may not always satisfy the requirements. For e.g. if you are building something in Erlang and you want it to be PCIDSS [1] compliant, you will want to turn off distributed erlang on that node because the combination of the openness of an Erlang cluster combined with its tracing capabilities means that anyone with access to a single node in a cluster can trace and capture data flowing through code handling credit card transactions.
> 
> regards,
> Chandru
> 
> [1] http://www.theukcardsassociation.org.uk/security/what_is_PCI%20DSS.asp
> 
> 
> On 9 June 2016 at 21:20, Lyn Headley <lheadley@REDACTED> wrote:
> I don't understand why so many people are so dismissive of
> cookie-based node security. Here's what Fred Hebert wrote, for
> example:
> 
> "While documents like the official Erlang documentation put cookies
> under the topic of security, they're really not security at all. If it
> is, it has to be seen as a joke, because there's no way anybody
> serious considers the cookie a safe thing. Why? Simply because the
> cookie is a little unique value that must be shared between nodes to
> allow them to connect together. They're closer to the idea of user
> names than passwords and I'm pretty sure nobody would consider having
> a username (and nothing else) as a security feature. Cookies make way
> more sense as a mechanism used to divide clusters of nodes than as an
> authentication mechanism."
> 
> In opposition to this extremely widespread sentiment, I believe that:
> 
> 1) It is feasible to create an unguessable cookie.
> 2) It is feasible to prevent outsiders from seeing the cookie's value.
> 
> Therefore attackers cannot take over my node by compromising my cookie.
> 
> Where is the flaw in my reasoning?
> 
> Lyn Headley
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
> 
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160610/6edf0f68/attachment.bin>


More information about the erlang-questions mailing list