tags:

views:

486

answers:

3
+7  Q: 

howto encrypt erlang rpc calls (and Mnesia replication) and other traffic

I believe that internode communication is taking place in the clear and that the cookie value is strictly used for authentication. (I do not have any proof as yet).

  1. How do I encrypt internode comms?
  2. How do I encrypt Mnesia replication messages?
  3. How do I configure my firewall and packet filters to permit these messages to pass thru?
  4. How do I prevent snooping of my erlang traffic?
+4  A: 

Well, since it all runs over IP, one option would be to use IPSec between your nodes. Encrypted VPN connections could also do the trick. Neither of these require any changes on the Erlang side of things, nor will the Erlang programs or runtime be aware that the encryption is happening, except in the (hopefully) rare case of attacks that cause communication to fail, in which case it will look as if the other node is down.

Curt Sampson  2009-05-21 01:45:26
+1 true; but non trivial.
Richard  2009-05-21 02:12:57
Indeed. I'm not sure that there is a trivial solution to this problem.
Curt Sampson  2009-05-21 02:34:56
I'm inclined to accept this answer because; it makes sense and it seems to be the strongest. Considering the "unix way" this eliminates having to add code to the erlang implementation. Making it more elegant. Thanks!
Richard  2009-06-03 22:58:57
+1  A: 

There are basically two options:

  1. Use SSL to connect the Erlang nodes as described on Trap Exit
  2. Use underlaying IP mechanisms like VPN or IpSEC
gleber  2009-05-21 07:29:25
-1 old; The trapexit article was written in 2007 and the author hopes for inclusion of some patches he made. Apparently SSL is an option (I do not see where yet), however, one cannot control the port as he said.
Richard  2009-05-21 10:21:41
+2  A: 

You can use an SSH tunnel to pass all erlang communications through it, using the -rsh ssh parameter, you will want to set up certificate-based authentication for ssh (i.e. no passwords). Then you can simply use something along the lines of

erl -rsh ssh ....

For additional details, please see:

none  2009-05-23 09:55:13
As far as "stunnel" is concerned... in order to be effective one needs to know which ports erlang is going to use. I have not been able to identify that... and in fact it has been said that they are hare to nail down.I read the rest of your answer and followed the links. While this is a cool feature... and yet poorly documented... it does not address my question which is about RPC.
Richard  2009-05-24 00:32:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security