22 Jan
2019
22 Jan
'19
10:21 a.m.
On Tue, Jan 22, 2019 at 07:29:25PM +1300, Zane Bitter wrote:
Last time I heard (which was probably mid-2017), the Trove team had implemented encryption for messages on the RabbitMQ bus. IIUC each DB being managed had its own encryption keys, so that would theoretically prevent both snooping and spoofing of messages. That's the good news.
The bad news is that AFAIK it's still using a shared RabbitMQ bus, so attacks like denial of service are still possible if you can extract the shared credentials from the VM. Not sure about replay attacks; I haven't actually investigated the implementation.
cheers, Zane.
Excellent - many thanks for the confirmation. Cheers, Michael