On Mar 30, 2009, at 10:45 AM, Jim Jagielski wrote:
On Mar 29, 2009, at 11:43 AM, Paul Querna wrote:
URL Authentication is done by computing an randomly seeded md5
signature of:
seed + "$"+ MD5(seed + shared_secret + uri)
This is base64 encoded, and placed in a 'X-Cloudbeat-Auth' header.
Thinking outloud here... The idea I think is to ensure that
the X-Cloudbeat-Auth defines an authenticated server, using
the fact that it knows the shared secret. But how does the
above do that? Say for example that A and B known to each
other and B is sending X-Cloudbeat-Auth. This is easy to
find out, of course. So I setup B' to send the exact same
header and apply a DoS to B causing it to drop/hang/whatever.
Won't A just see B' as B, maybe thinking that it had a
momentary glitch and came back? It seems to me that we need
some sort of IP:port knowledge in there as well.
Hold on a tic... if the uri is the uri of what *I am handling*
then, of course, this is sufficient. But if it's the
prefix of urls that will be handled (like the 1st arg
to ProxyPass) then it's not.
