[erlang-questions] Erlang cookies are secure

[Technion]

One thing here is that a cookie has to be constant across an environment.


It's not easy to rotate it by tackling a few nodes at a time, and you can't define a new username, roll it out, and disable the old one later. As far as I know, it's always transferred in cleartext, and doesn't authenticate who it is being given to.


By modern security standards, it's very poor. But I also agree, the mere use cookies, from an outside attacker, is still a mile ahead of authenticated access, unless I'm missing something.

________________________________
From: erlang-questions-bounces@REDACTED <erlang-questions-bounces@REDACTED> on behalf of zxq9 <zxq9@REDACTED>
Sent: Friday, 10 June 2016 2:33:25 PM
To: erlang-questions@REDACTED
Subject: Re: [erlang-questions] Erlang cookies are secure

On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:
> Hi!
>
> In the event that the cookie is your only security, what do you do
> when your cookie gets out?
>
> Event if you cookie is not guessable, there is still a chance that
> through malicious act or human error a trusted person within your
> organisation shares your cookie with others. I've not got the evidence
> to hand, but while preparing for security audits at a previous
> workplace our trainer told us that most security breaches are due to
> the actions of people within the organisation rather than outside of
> it. This seems very plausible to me.

People are almost always easier to manipulate or catch in error than
systems are to crack through exploitation of technical flaws.

How is this not exactly the same as a password? Or AWS credentials?
Or a secret key? Or any other of a host of similar schemes?

-Craig
_______________________________________________
erlang-questions mailing list
erlang-questions@REDACTED
http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160610/2fff12d9/attachment.htm>