Encryption of data at rest is a good thing. It should be an orthogonal issue relative to wire level encryption.
Sent from my iPhone > On Apr 22, 2014, at 12:47, Patrick Hunt <[email protected]> wrote: > > Hm. Well the txnlogs didn't make much sense to me. If you have that > level of access, well they you've got access to everything regardless. > Shouldn't/wouldn't those files be protected by permissions on the > datadir? > > Also, which "password" are we storing in the txnlog? The session > password or truly the admin password. > > Patrick > > On Tue, Apr 22, 2014 at 11:04 AM, Flavio Junqueira > <[email protected]> wrote: >> I've created ZK-1917 for this. >> >> I think it is referring to the txn logs. If so, SSL encryption alone isn't >> going to do it. >> >> -Flavio >> >>> On 22 Apr 2014, at 18:55, Patrick Hunt <[email protected]> wrote: >>> >>>> On Tue, Apr 22, 2014 at 10:14 AM, Michi Mutsuzaki <[email protected]> >>>> wrote: >>>> That's a great idea. >>>> >>>> The link talks about one specific vulnerability (password being logged >>>> in a cleartext :( ), but I'm interested in securing ZooKeeper in >>>> general. I've seen projects staying away from ZooKeeper because it >>>> doesn't support SSL, for example. >>>> >>> >>> That was one of the reasons why we were trying to add netty support - >>> it would greatly simplify enabling SSL encryption. >>> >>> Patrick >>> >>>> >>>>> On Tue, Apr 22, 2014 at 9:32 AM, Flavio Junqueira <[email protected]> wrote: >>>>> Some of you may have noticed that there is a CVE entry for ZK: >>>>> >>>>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085 >>>>> >>>>> I've never perceived ZK as a project particularly strong on the security >>>>> side, but I was wondering how folks in the list feel about creating a jira >>>>> and working something out. >>>>> >>>>> -Flavio >>
