[openstack-dev] [nova][keystone] Message Queue Security
Davanum Srinivas
davanum at gmail.com
Thu Apr 25 15:58:32 UTC 2013
Simo,
I'll owe you a beverage of your choice when you make it configurable :)
-- dims
On Thu, Apr 25, 2013 at 11:51 AM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-04-25 at 16:38 +0100, David Chadwick wrote:
>> You answered your own question when you said
>>
>> "The problem is that crypto is hard, and considering all the
>> implications of how algorithms interact is something few can master."
>>
>> So if you hard code in a single (set of) algoriths, and then a
>> vulnerability is found in it (which happens all the time), then you are
>> screwed because you have no alternatives to switch to.
>>
>> Some applications still have MD5 hard coded in, which is why many root
>> CAs with MD5 are still configured into most browsers. And that provided
>> the attack hole for APTs sending out "microsoft" updates with spoofed
>> MD5 certs.
>
> The thing is, unless you are asking for negotiating algorithms on the
> fly, what is the difference from changing a configuration option and
> patching a single python source file ?
>
> Sure we can set the HMAC and encryption scheme in a config file, but due
> to the networked nature of queues, it means you still have to manually
> change this configuration on all hosts and restart the cloud.
> I see no difference between doing that and patching all components and
> restarting the cloud. Is there ?
>
> I will look into making this configurable now anyway :)
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Davanum Srinivas :: http://davanum.wordpress.com
More information about the OpenStack-dev
mailing list