[erlang-questions] Erlang cookies are secure

Louis Pilfold louis@REDACTED
Fri Jun 10 08:18:51 CEST 2016


Heya

With the given examples each entity had their own password/key/secret, so a
breach means one node is secure, rather than all of them. Additionally each
piece of functionality can require different permissions, and not all nodes
can have permissions to request all tasks, so the scale of the potential
damage done is lower.

Additionally one can rotate those values easily, this seems like it would
be much harder to do with cookies.

Cheers,
Louis
On 10 Jun 2016 05:33, "zxq9" <zxq9@REDACTED> wrote:

> On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:
> > Hi!
> >
> > In the event that the cookie is your only security, what do you do
> > when your cookie gets out?
> >
> > Event if you cookie is not guessable, there is still a chance that
> > through malicious act or human error a trusted person within your
> > organisation shares your cookie with others. I've not got the evidence
> > to hand, but while preparing for security audits at a previous
> > workplace our trainer told us that most security breaches are due to
> > the actions of people within the organisation rather than outside of
> > it. This seems very plausible to me.
>
> People are almost always easier to manipulate or catch in error than
> systems are to crack through exploitation of technical flaws.
>
> How is this not exactly the same as a password? Or AWS credentials?
> Or a secret key? Or any other of a host of similar schemes?
>
> -Craig
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160610/32300925/attachment.htm>


More information about the erlang-questions mailing list