[erlang-questions] Erlang cookies are secure

zxq9 zxq9@REDACTED
Fri Jun 10 12:45:14 CEST 2016 

On 2016年6月10日 金曜日 12:14:09 Tony Rogvall wrote:
> Hi Chandru.
> 
> I am not sure what you mean by sniff cookies?
> 
> The distribution has been sending blank cookies since first open source release.
> The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
> at connection setup.
> 
> So Erlang is more likely to be vulnerable to connection hijacking since not every message
> is signed.
> 
> So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

Indeed! :-)

On that note...

Even if it were safe to run disterl across a WAN on an open network, does anyone really think operating a chatty mesh across variable latency connections is a good idea?

"Variable" meaning:
  - Totally out of your control
  - Local nodes and distant nodes will have dramatic
    network performance differences.

That's not at all the case disterl seems to have been intended for. Or at least it certainly doesn't seem to have been the case driving the disterl implementation. I've only ever seen localized disterl clusters connect (sometimes multiply) over TLS to distant other clusters -- treating each cluster, essentially, as an opaque supernode in a larger system.

It would be pretty slick if we could link safely across the world with a very flexible distribution system that works over TLS, checks verifies peers with certificates, and can handle very long disruptions. Oh, and and automatically mend network damage. Oh, and while we're at it, automagically solve network partition problems. Oh, and...

...but we're running a bit short on unicorn blood to feed the machine so instead we have disterl, which seems very much to have been designed with a localized cluster of nodes in mind, all of which are under a reasonable level of control of the system operators -- and therefore constitutes an internally safe execution environment. In this context it is hard to view cookies as really being intended as a security mechanism.

That said, disterl is a dodgy proposition in environments like hosted mesos, AWS, and similar environments where you can't know anything about internal security and there is a strong economic incentive to keep breaches and insecurities quiet.

So now can someone please explain to me why my vision of the world is wrong? *Was* disterl intended to be used to link machines across very wide networks? Were cookies + MD5 intended as a partitioning mechanism, or did someone think that was secure at one time? In *practice* I've only encountered the situation I describe above -- but all this apparent confusion about the issue of what cookies were intended for makes me wonder whether that was the *intention*.

-Craig

More information about the erlang-questions mailing list