yahoo-eng-team team mailing list archive

[Nikola Đipanov <ndipanov@xxxxxxxxxx>]

Public bug reported:

As part of the fix for the related bug - we've added protocol checking
to mitigate MITM attacks, however we base protocol checking on a config
option that is normally only intended for compute hosts.

This is quite user hostile, as it is now important that all nodes
running compute and proxy services have this option in sync.

We can do better than that - we can persist the URL the client is
expected to use, and once we get it back on token validation, we can
make sure that the request is using the intended protocol, mitigating
the MITM injected script attacks.

** Affects: nova
     Importance: High
     Assignee: Nikola Đipanov (ndipanov)
         Status: Confirmed


** Tags: kilo-rc-potential

** Tags added: kilo-rc-potential

** Changed in: nova
       Status: New => Confirmed

** Changed in: nova
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1442048

Title:
  Avoid websocket proxies needing to have matching have config
  '*_baseurl' configs with compute nodes

Status in OpenStack Compute (Nova):
  Confirmed

Bug description:
  As part of the fix for the related bug - we've added protocol checking
  to mitigate MITM attacks, however we base protocol checking on a config
  option that is normally only intended for compute hosts.

  This is quite user hostile, as it is now important that all nodes
  running compute and proxy services have this option in sync.

  We can do better than that - we can persist the URL the client is
  expected to use, and once we get it back on token validation, we can
  make sure that the request is using the intended protocol, mitigating
  the MITM injected script attacks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1442048/+subscriptions