Comment 15 for bug 1872737
Revision history for this message
| Colleen Murphy (krinkle) wrote Re: Keystone doesn't check signature TTL of the EC2 credential auth method | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
> The requirement that the attacker be able to obtain a copy of the victim's token, however, seems like it presents a significant mitigating factor which reduces the risk of dealing with this report in public. How do folks feel about switching this report to a public workflow? Are tokens generally "easy" to steal in a typical deployment/
In a typical production environment, all traffic should use HTTPS between all involved services and I would not expect there to be any reason to write the AWS token to disk, so I would tend to agree that the bar for stealing this token is high. kay may be able to give more insight about the typical workflow for this feature.