Hi,
Does anyone have a better suggestion? So far, more it is off by default, if no more comments, I will reopen [1], and write to guide the user how to open a document of this feature [1] https://github.com/apache/incubator-iotdb/pull/1033 Thanks --- Dawei Liu On 04/13/2020 20:09,Jialin Qiao<[email protected]> wrote: Hi Chris, Thanks for your sharing! +1 for disabling these services by default. At the same time, we need to add clear instruction to let users enable these services easily. Thanks, -- Jialin Qiao School of Software, Tsinghua University 乔嘉林 清华大学 软件学院 -----原始邮件----- 发件人: "Christofer Dutz" <[email protected]> 发送时间: 2020-04-13 19:27:25 (星期一) 收件人: "[email protected]" <[email protected]> 抄送: 主题: Re: 回复: About the security issues that mqtt-server is turned on by default Hi all, I would strongly suggest not to turn on services like MQTT and HTTP per default. The reason is that people will hold the project accountable for potential security issues that might come up. For example in the Apache Flex project we had a sub-project called BlazeDS. This is a web-connector for Flex applications. We had all features open per default and asked users to lock it down as needed. Unfortunately we had to implement 3-4 CVE security bugfix releases because of this and none of them actually affected BlazeDS code, but third party code (Mostly XML libraries ore Apache Commons deserialization issues). When I changed things to being completely locked down but making it simple for users to unlock the parts they need, we didn't have to release a single bugfix release since then. Chris Am 13.04.20, 08:15 schrieb "伍 雄" <[email protected]>: I think mqtt-server shouled be shutdown by default. As I think It's hard to guarantee that there are no security issues in the future. Usually user installed iotDB, most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices if turned on by default. We should use the minimum principle to open the port. ________________________________ 发件人: Dawei Liu <[email protected]> 发送时间: 2020年4月13日 3:26 收件人: [email protected] <[email protected]> 主题: About the security issues that mqtt-server is turned on by default Hi, Xiangdong and I had an interesting discussion on github[1]. We reached an agreement that mqtt-server would be turned on by default for the user. But I think the security details still need to be discussed. Can anyone provide some advice on security? [1] https://github.com/apache/incubator-iotdb/pull/1033 Thanks --- Dawei Liu
