"As they carry QueryID/SecretKey in clear, anyone that can sniff the network can gain admin privileges on eucalyptus."
This assertion is incorrect. The secret is never sent in the clear. A replay attack is possible and its gravity will depend on the specific operation that is replayed. Chris Jones is correct. There is a workaround for this however which involves explicitly trusting the cert, which depending on the client may or may not be a manual step. Eucalyptus upstream will fix this in the next release. thanks. -- Eucalyptus does not allow api connection over https https://bugs.launchpad.net/bugs/480783 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to eucalyptus in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
