[erlang-questions] Erlang cookies are secure

Per Hedeland per@REDACTED
Sat Jun 11 23:54:06 CEST 2016

Ulf Wiger <ulf.wiger@REDACTED> wrote:
>We should be able to agree that:
>- the cookie strategy and challenge aren’t necessarily broken in principle
>- the MD5 hash is a weakness which could be addressed
>- using TCP opens up for eavesdropping and MITM attacks
>- the biggest weakness is the (human) practice of using hard-coded simple cookies for convenience
>- little (albeit some) support exists for applying a more sophisticated cookie management strategy
>- The simplest advice to heed is “don’t expose your dist ports to strangers"

I can agree to all of that, except that I'm not sure that the "weakness"
of MD5, which pertains to its ability to produce a digest of a cleartext
that can't be reproduced by applying it to a different cleartext, even
when the original cleartext is known (i.e. the case of using a digest +
signature to ensure integrity), is significant in this particular
context. And unfortunately that's the only one of your points that
addresses the security of the cookie authentication mechanism as such...


More information about the erlang-questions mailing list