[rabbitmq-discuss] Separate authorization mechanisms for SSL and non-SSL?
Simon MacMullen
simon at rabbitmq.com
Wed Nov 28 10:29:16 GMT 2012
On 28/11/12 05:42, michi.oshima wrote:
> Simon MacMullen-2 wrote
>> And if an SSL client selects PLAIN, do you really mind?
>
> I'm thinking I do. If an "attacker" can select PLAIN, then the attacker
> would only have to guess the correct password to gain access to the server,
> which is easier than faking a certificate. (Or so I heard... Does it just
> depend on the length of the password?)
Hmm, I suppose so. Although we do rate-limit failed connection attempts
to try to prevent this.
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list