[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-417) Obfuscating jvmRoute as to hide topology
Radoslav Husar (JIRA)
issues at jboss.org
Thu Jul 24 04:51:31 EDT 2014
[ https://issues.jboss.org/browse/MODCLUSTER-417?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Radoslav Husar resolved MODCLUSTER-417.
---------------------------------------
Resolution: Rejected
> Obfuscating jvmRoute as to hide topology
> ----------------------------------------
>
> Key: MODCLUSTER-417
> URL: https://issues.jboss.org/browse/MODCLUSTER-417
> Project: mod_cluster
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Native (httpd modules)
> Affects Versions: 1.3.0.Final, 1.2.9.Final
> Reporter: Radoslav Husar
> Assignee: Jean-Frederic Clere
> Priority: Minor
>
> Feature request from https://github.com/jmcabrera
> Hello guys.
> First of all, this is a feature request and not a bug.
> I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure.
> The "strong" way would be to have a symmetrical cipher with a configurable key.
> mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request.
> But I guess that this would have very undesirable consequences on performance.
> The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance).
> Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request.
> Unfortunately, I have close to no C skills, hence I cannot make this myself.
> (as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work :) )
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the mod_cluster-issues
mailing list