httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Re: [PROPOSAL] mod_cloudbeat
Date Mon, 30 Mar 2009 15:03:33 GMT
On Mon, Mar 30, 2009 at 4:45 PM, Jim Jagielski <jim@jagunet.com> wrote:
>
> On Mar 29, 2009, at 11:43 AM, Paul Querna wrote:
>>
>> URL Authentication is done by computing an randomly seeded md5 signature
>> of:
>>    seed + "$"+ MD5(seed + shared_secret + uri)
>> This is base64 encoded, and placed in a 'X-Cloudbeat-Auth' header.
>>
>
> Thinking outloud here... The idea I think is to ensure that
> the X-Cloudbeat-Auth defines an authenticated server, using
> the fact that it knows the shared secret. But how does the
> above do that? Say for example that A and B known to each
> other and B is sending X-Cloudbeat-Auth. This is easy to
> find out, of course. So I setup B' to send the exact same
> header and apply a DoS to B causing it to drop/hang/whatever.
> Won't A just see B' as B, maybe thinking that it had a
> momentary glitch and came back? It seems to me that we need
> some sort of IP:port knowledge in there as well.

In my mind, URL includes the IP/port, so you shouldn't be able to DoS
it this way.  I guess I should of been clearer by what I meant with
URL.

I was thinking about this more, and we should also change the hash to
sha1, considering it only takes a few days to find md5 collisions if
you have enough playstation 3s:
    seed + "$"+ sha1(seed + shared_secret + ip ":"+ port + URI)

Thanks,

-Paul

Mime
View raw message