"As they carry QueryID/SecretKey in clear, anyone that can sniff the network can gain admin privileges on eucalyptus."
This assertion is incorrect. The secret is never sent in the clear. A replay attack is possible and its gravity will depend on the specific operation that is replayed.
Chris Jones is correct. There is a workaround for this however which involves explicitly trusting the cert, which depending on the client may or may not be a manual step.
Eucalyptus upstream will fix this in the next release.
"As they carry QueryID/SecretKey in clear, anyone that can sniff the network can gain admin privileges on eucalyptus."
This assertion is incorrect. The secret is never sent in the clear. A replay attack is possible and its gravity will depend on the specific operation that is replayed.
Chris Jones is correct. There is a workaround for this however which involves explicitly trusting the cert, which depending on the client may or may not be a manual step.
Eucalyptus upstream will fix this in the next release.
thanks.