[Openstack] State of OpenStack Auth

Eric Day eday at oddments.org
Tue Mar 1 20:48:50 UTC 2011

On Tue, Mar 01, 2011 at 09:47:00PM +0100, Soren Hansen wrote:
> 2011/3/1 Eric Day <eday at oddments.org>:
> > Signature based auth such as EC2 should also always require
> > a secure channel too, but if not attacks are less severe since they
> > are limited to reply attacks only (the request and parameters are used
> > as part of the signature).
> Just a note: The request also includes a timestamp and an expiration
> field, so replay attacks are only possible within a certain
> (user-defined) timeframe.

Thanks, good to know. So slightly more secure when not over SSL. :)


More information about the Openstack mailing list