Github user nkalmar commented on the pull request: https://github.com/apache/zookeeper/commit/a2623a625a4778720f7d5482d0a66e9b37ae556f#commitcomment-29934308 Both JMX and Jetty can be secured. The problem here is, as of my understanding, is that 4ltw command uses the client port. You can secure JMX port, introduce authentication, SSL etc. But you cannot secure the client port like that. So leaving the port open, and the ability to call functions without any authentication or authorization via telnet is not the best practice. By the way, JMX port should only be open on the local machine, as it is the default setting on ZooKeeper. But if you wan't to open it, it should be secured with firewall/gateway settings, IP restrictions, SASL or whatever. Jetty can be also configured for SSL.
---