Comment 4 for bug 480783

"As they carry QueryID/SecretKey in clear, anyone that can sniff the network can gain admin privileges on eucalyptus."

This assertion is incorrect. The secret is never sent in the clear. A replay attack is possible and its gravity will depend on the specific operation that is replayed.

Chris Jones is correct. There is a workaround for this however which involves explicitly trusting the cert, which depending on the client may or may not be a manual step.

Eucalyptus upstream will fix this in the next release.

thanks.