[rabbitmq-discuss] Session replay attack

Simon MacMullen simon at rabbitmq.com
Tue Sep 10 09:56:12 BST 2013


On 09/09/2013 9:59PM, Kapil Goyal wrote:
> How does Rabbit MQ prevent session replay attacks? Does it implement a
> session management mechanism to manage active login sessions and to
> prevent spoofing/masquerading?

Do you mean when using SSL or not? When using SSL, session replay 
attacks should not be possible for the usual SSLish reasons.

When using vanilla AMQP all bets are off - there's nothing in AMQP to 
prevent such attacks (and I think it would be a really bad idea to go in 
that direction, AMQP would end up growing an ad-hoc, 
informally-specified, bug-ridden implementation of half of Common 
Li^W^WSSL).

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, Pivotal


More information about the rabbitmq-discuss mailing list