incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sameer Farooqui <cassandral...@gmail.com>
Subject Re: Questions about using MD5 encryption with SimpleAuthenticator
Date Thu, 19 May 2011 00:16:28 GMT
I am wearing said hat and am freaking out right now :-)

Just kidding and good point. I guess it would be nice if clients like Hector
had an option to use TLS/SSL to encapsulate the application protocol.

But even SSL/TLS is subject to attacks from tools like SSLSNIFF:
http://www.thoughtcrime.org/software/sslsniff



On Wed, May 18, 2011 at 2:33 PM, Aaron Morton <aaron@thelastpickle.com>wrote:

> Also if you were wearing an aluminium foil hat you may also be concerned
> about how the password is sent to the server.
>
> Again though, see previous "I am not a security guy" comment and helpful
> link from Jonathan confirming that statement :)
> Cheers
>
> -----------------
> Aaron Morton
> Freelance Cassandra Developer
> @aaronmorton
> http://www.thelastpickle.com
>
> On 19/05/2011, at 1:19 AM, Ted Zlatanov <tzz@lifelogs.com> wrote:
>
> > On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui <
> cassandralabs@gmail.com> wrote:
> >
> > SF> Would still be nice though to use the bcrypt hash over MD5 for
> stronger
> > SF> security.
> >
> > I used MD5 when I proposed SimpleAuthenticator for two reasons:
> >
> > 1) SimpleAuthenticator is supposed to be a demo of the authentication
> > interface.  It can be used for testing and trivial setups, but I
> > wouldn't use it in production.  So it's meant to get you going easily,
> > not to serve you long-term.
> >
> > 2) MD5 is built into Java.  At the time, bcrypt and SHA-* were not.  I
> > used MD5 only so the passwords are not stored in the clear, not to
> > provide production-level security.
> >
> > You should consider carefully the implications of storing passwords in a
> > file on a database server, no matter how they are encrypted.  It would
> > be better to write a trivial AD/LDAP/etc. authenticator that fits your
> > specific needs and doesn't rely on a local file.
> >
> > Ted
> >
>

Mime
View raw message