<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I guess it's worth mentioning in the current thread that the present architecture only supports one distributed protocol in a node at a time. So using TLS for some nodes over Internet would require all nodes in a cluster to use TLS, which is a waste of resources and additional latency for nodes located in the same local network not involving Internet.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I'd love to see some progress by the OTP team in flexing this requirement, since the patch I submitted a while back that introduced support for distribution over multiple protocols was not accepted (*).</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Serge</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">(*) <a href="http://erlang.org/pipermail/erlang-patches/2014-January/004522.html">http://erlang.org/pipermail/erlang-patches/2014-January/004522.html</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jun 10, 2016 at 4:10 PM, Per Hedeland <span dir="ltr"><<a href="mailto:per@hedeland.org" target="_blank">per@hedeland.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Tony Rogvall <<a href="mailto:tony@rogvall.se">tony@rogvall.se</a>> wrote:<br>
><br>
>I am not sure what you mean by sniff cookies?<br>
><br>
>The distribution has been sending blank cookies since first open source release.<br>
>The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure<br>
>at connection setup.<br>
<br>
Hi Tony!<br>
<br>
Indeed - and I will take credit for pestering you to fix that just<br>
before the first open source release:-) (I will not divulge what it did<br>
before that...).<br>
<br>
>So Erlang is more likely to be vulnerable to connection hijacking since not every message<br>
>is signed.<br>
<br>
Yes - the *default* distribution fulfills none of the CIA requirements<br>
(no, not that evil US thing, but Confidentiality, Integrity, and<br>
Availability). But this has nothing to do with the authentication<br>
mechanism as such, and can be fixed by using TLS - which also brings one<br>
or more other authentication mechanisms, but they are not in any<br>
fundamental sense more "secure" than the cookie authentication.<br>
<br>
>So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )<br>
<br>
Sure - but this point is actually also confusing in a cookie discussion,<br>
as shown by other messages in this thread - it is about the<br>
*authorization* you automatically get at the point when you have managed<br>
to break the authentication mechanism - i.e. basically you can do<br>
"anything". But this is independent of the strength of the<br>
authentication mechanism itself.<br>
<br>
I do find it rather tiresome with this constant ridicule of the cookie<br>
authentication from people who haven't even bothered to do a basic<br>
investigation of how it works, let alone done any actual security<br>
analysis.<br>
<br>
And just to put another myth to death, no, you are not required to use<br>
the same cookie on all your distributed erlang nodes - every node is<br>
capable of maintaining a specific cookie for every other node, RTFM<br>
erlang:set_cookie/2.<br>
<br>
It is absolutely true that *maintaining* security in a network with<br>
cookie-based authentication can be troublesome, and that e.g. TLS with<br>
certificate authentication can do much better in that respect, as long<br>
as you have mechanisms for certificate revocation properly set up (which<br>
in turn is not entirely trivial to do).<br>
<br>
But again, as long as you do not throw your cookies around, AFAIK no-one<br>
has demonstrated any fundamental weakness with the mechanism as such.<br>
<br>
--Per<br>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div><br></div>