Hm. Well the txnlogs didn't make much sense to me. If you have that level of access, well they you've got access to everything regardless. Shouldn't/wouldn't those files be protected by permissions on the datadir?
Also, which "password" are we storing in the txnlog? The session password or truly the admin password. Patrick On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira <[email protected]> wrote: > I've created ZK-1917 for this. > > I think it is referring to the txn logs. If so, SSL encryption alone isn't > going to do it. > > -Flavio > > On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]> wrote: > >> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <[email protected]> >> wrote: >>> That's a great idea. >>> >>> The link talks about one specific vulnerability (password being logged >>> in a cleartext :( ), but I'm interested in securing ZooKeeper in >>> general. I've seen projects staying away from ZooKeeper because it >>> doesn't support SSL, for example. >>> >> >> That was one of the reasons why we were trying to add netty support - >> it would greatly simplify enabling SSL encryption. >> >> Patrick >> >>> >>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected]> wrote: >>>> Some of you may have noticed that there is a CVE entry for ZK: >>>> >>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >>>> >>>> I've never perceived ZK as a project particularly strong on the security >>>> side, but I was wondering how folks in the list feel about creating a jira >>>> and working something out. >>>> >>>> -Flavio >
