openstack team mailing list archive

[Soren Hansen <soren@xxxxxxxxxx>]

2011/3/1 Eric Day <eday@xxxxxxxxxxxx>:
> Signature based auth such as EC2 should also always require
> a secure channel too, but if not attacks are less severe since they
> are limited to reply attacks only (the request and parameters are used
> as part of the signature).

Just a note: The request also includes a timestamp and an expiration
field, so replay attacks are only possible within a certain
(user-defined) timeframe.

-- 
Soren Hansen
Ubuntu Developer    http://www.ubuntu.com/
OpenStack Developer http://www.openstack.org/