On Mar 29, 2009, at 11:43 AM, Paul Querna wrote:
URL Authentication is done by computing an randomly seeded md5 signature of:seed + "$"+ MD5(seed + shared_secret + uri) This is base64 encoded, and placed in a 'X-Cloudbeat-Auth' header.
Thinking outloud here... The idea I think is to ensure that the X-Cloudbeat-Auth defines an authenticated server, using the fact that it knows the shared secret. But how does the above do that? Say for example that A and B known to each other and B is sending X-Cloudbeat-Auth. This is easy to find out, of course. So I setup B' to send the exact same header and apply a DoS to B causing it to drop/hang/whatever. Won't A just see B' as B, maybe thinking that it had a momentary glitch and came back? It seems to me that we need some sort of IP:port knowledge in there as well.
