[rabbitmq-discuss] Session replay attack
Simon MacMullen
simon at rabbitmq.com
Tue Sep 10 09:56:12 BST 2013
On 09/09/2013 9:59PM, Kapil Goyal wrote:
> How does Rabbit MQ prevent session replay attacks? Does it implement a
> session management mechanism to manage active login sessions and to
> prevent spoofing/masquerading?
Do you mean when using SSL or not? When using SSL, session replay
attacks should not be possible for the usual SSLish reasons.
When using vanilla AMQP all bets are off - there's nothing in AMQP to
prevent such attacks (and I think it would be a really bad idea to go in
that direction, AMQP would end up growing an ad-hoc,
informally-specified, bug-ridden implementation of half of Common
Li^W^WSSL).
Cheers, Simon
--
Simon MacMullen
RabbitMQ, Pivotal
More information about the rabbitmq-discuss
mailing list