Tim Freeman <tfreeman@mcs.anl.gov> wrote:
>
> As Colin says, "The important bit first:"
>
> "If you are making Query (aka REST) requests to Amazon SimpleDB, to Amazon
> Elastic Compute Cloud (EC2), or to Amazon Simple Queue Service (SQS) over
> HTTP, and there is any way for an attacker to provide you with data which you
> use to construct your request, switch to HTTPS or start using AWS signature
> version 2 now."
>
> AWS signature version 1 is insecure
> http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html
Best I've seen on this so far:
Root of the MITM problem:
"Because there are no delimiters between the keys and values, the signature
for "foo=bar" is identical to the signature for "foob=ar"; moreover, the
signature for "foo=bar&fooble=baz" is the same as the signature for
"foo=barfooblebaz"
Craig raises some important visibility and other issues for EC2 customers at
the end, the whole thing is worth reading.
In the post he says this about a public security committment: "Until now they
could argue they didn't need to - they hadn't messed up (or at least, we don't
think they did)."
But there have been some problems, remember for a long time EC2 had default
AMIs with SSH hostkeys not being generated at boot (although no one in their
right mind should base anything critical off a random, public AMI anyhow). And
from way back in ancient history (2006), there was an issue where data on the
ephemeral storage block device from previous customers was able to be lifted
out on new instances.
Anyhow, my main eyebrow-raise here: where is my Amazon email or RSS about this
signature issue?
Tim
-- still an AWS lover
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google
Groups "Cloud Computing" group.
To post to this group, send email to cloud-computing@googlegroups.com
To unsubscribe from this group, send email to
cloud-computing-unsubscribe@googlegroups.com
To post job listing, send email to jobs@cloudjobs.net (position title, employer and location in subject, description in message body) or visit http://www.cloudjobs.net
To submit your resume for cloud computing job bank, send it to resume@cloudjobs.net.
For more options, visit this group at
http://groups.google.ca/group/cloud-computing?hl=en?hl=en
Posting guidelines:
http://groups.google.ca/group/cloud-computing/web/frequently-asked-questions
This group posts are licensed under a Creative Commons Attribution-Share Alike 3.0 United States License http://creativecommons.org/licenses/by-sa/3.0/us/
Group Members Meet up Calendar - http://groups.google.ca/group/cloud-computing/web/meet-up-calendar
-~----------~----~----~----~------~----~------~--~---
Posts
No comments:
Post a Comment