On 10/03/15 10:53, Simone Tiraboschi wrote:
In order to trust an https connection to the engine you have
to trust its CA but you still don't know it cause it's a
private one and it has been just created on the engine from scratch.
Can't the setup display the necessary parameters to make
sure I trust the right CA when I accept it in my browser?
It could even create a consumable file, which I can copy
to my workstation and import there.
Blindly downloading the engine CA cert and blindly trusting it is
not
that different that simply using http to download the public key:
this is correct, but who would do this?
of course you need to check if it is the right CA!
in order to fetch it you don't need to send any password
or token and being a public key you don't need to crypt
it by definition so you don't need encryption.
this is not about keeping the public key secret, but
about keeping the channel over which it is transferred
secure. so no one can tamper with the key and send
you another public key to a different machine.
(dns spoofing, arp spoofing etc.)
if you don't check the public key and ensure you
connect to the correct machine, there is no need
for public keys anyway and you could just skip this
step.
imho this is a security bug.
other people would just consider this a hardening.
trusting the local network is a security mindset
from the 90's.
most LANs have to many hosts which you might
don't even know.
you could also be on some shared foreign network
where third party machines from different users
can tamper with the network.
I have seen user reports who used some
leased hardware in offsite data centers to install
ovirt, where you can't fully trust all local clients.
this should be more secure by default imho.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen