I think they do the latter. ZooKeeper 3.4 is highly recommended to run on a network which is isolated from the internet. VPN could be an option, but we don't do any testing on VPN networks.
Andor On Thu, Sep 27, 2018 at 5:14 PM, Jan Høydahl <jan....@cominvent.com> wrote: > Thanks. > > So what do people typically do to mitigate this? Other than restricting > who has access to this network? > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > > 27. sep. 2018 kl. 17:10 skrev Andor Molnar <an...@cloudera.com.INVALID>: > > > > Right. It's plaintext. > > > > > > On Thu, Sep 27, 2018 at 4:54 PM, Jan Høydahl <jan....@cominvent.com> > wrote: > > > >> I am *explicitly* asking about old-style 3.4.x socket protocol, not the > >> new Netty transport which I know supports SSL. > >> > >> My original question was whether authentication credentials are passed > in > >> plaintext across the wire and thus being easy to pickup by an attacker. > >> And if that is true, if there are know ways of working around the lack > of > >> SSL support for the TCP transport. > >> > >> Martin Gainty, I cannot see how I can easily plug in TLS1.3 in my > existing > >> connection between client and Zookeeper 3.4.x, but if there is a simple > way > >> to do so then please share how you did it. > >> > >> The only solution I see, as we're stuck with 3.4.x, is to setup IPSec > >> tunnels on OS level on all client/server traffic. I wanted to avoid > that. > >> > >> -- > >> Jan Høydahl, search solution architect > >> Cominvent AS - www.cominvent.com > >> > >>> 27. sep. 2018 kl. 16:14 skrev Andor Molnar <an...@cloudera.com.INVALID > >: > >>> > >>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > >> ZooKeeper+SSL+User+Guide > >>> > >>> SSL (client-server) has been added in 3.5.1 > >>> SSL server-server support is being reviewed on GitHub. > >>> > >>> Regards, > >>> Andor > >>> > >>> > >>> > >>> On Thu, Sep 27, 2018 at 3:46 PM, Jan Høydahl <jan....@cominvent.com> > >> wrote: > >>> > >>>> Hi, > >>>> > >>>>> if you're prevented from implementing SSL why not use TLSv1.3? > >>>> > >>>> > >>>> I have not found any evidence that Zookeeper server nor (Java) client > >>>> supports TLS in version 3.4.13. Please point me to some docs or > >> tutorial. > >>>> We don't want to fork Zookeeper to implement this stuff ourselves :) > >>>> > >>>> -- > >>>> Jan Høydahl, search solution architect > >>>> Cominvent AS - www.cominvent.com > >>>> > >>>>> 27. sep. 2018 kl. 15:17 skrev Martin Gainty <mgai...@hotmail.com>: > >>>>> > >>>>> > >>>>> ________________________________ > >>>>> From: Jan Høydahl <jan....@cominvent.com> > >>>>> Sent: Thursday, September 27, 2018 5:12 AM > >>>>> To: user@zookeeper.apache.org > >>>>> Subject: Digest auth with classic TCP transport > >>>>> > >>>>> Hi > >>>>> > >>>>> We use ZK 3.4.13, and unfortunately cannot use Netty transport and > SSL. > >>>>> We plan to use digest authentication and Zookeeper ACL protection. > >>>>> > >>>>> Question is, since we cannot use SSL, is there some other way to make > >>>> sure the user credentials are not sniffed over the network and thus > let > >> an > >>>> attacker impersonate our application and cange the content in > Zookeeper? > >>>> Does the Zookeeper client do some smart moves to protect/hash the > >> password > >>>> over the network? I suppose the binary transport is easy to decipher > for > >>>> those who try. > >>>>> > >>>>> MG>if you're prevented from implementing SSL why not use TLSv1.3? > >>>>> MG>with TLSv1.3 you can implement encryption/decryption with crypto > >>>> private/public keys and x509 certs > >>>>> https://en.wikipedia.org/wiki/Transport_Layer_Security > >>>>> Transport Layer Security - Wikipedia<https://en. > >>>> wikipedia.org/wiki/Transport_Layer_Security> > >>>>> Transport Layer Security (TLS) – and its predecessor, Secure Sockets > >>>> Layer (SSL), which is now deprecated by the Internet Engineering Task > >> Force > >>>> (IETF) – are cryptographic protocols that provide communications > >> security > >>>> over a computer network. Several versions of the protocols find > >> widespread > >>>> use in applications such as web browsing, email, instant messaging, > and > >>>> voice over IP (VoIP). > >>>>> en.wikipedia.org > >>>>> > >>>>> > >>>>> MG>path of least resistance is to contact verisign and ask them to > >>>> generate keys, certs and allow them to act as CA > >>>>> MG>Caveat: tls1.3 implementation is slow and is supported by Mozilla > >>>> v60...and some versions of chrome > >>>>> MG>as far as ciphers to prevent MIMA do not implement TLS_DH_anon and > >>>> TLS_ECDH_anon key agreement methods MG>do not authenticate the server > >>>>> MG>you will want public key size to be min 2048bit to conform to > chrome > >>>> secure transmission requirements > >>>>> MG>securing message is done thru MD5 or SHA but you will need to > >>>> incorporate selected algo into > >>>>> MG>supported cipher-suite(s) > >>>>> https://en.wikipedia.org/wiki/Cipher_suite > >>>>> Cipher suite - Wikipedia<https://en.wikipedia.org/wiki/Cipher_suite> > >>>>> A cipher suite is a set of algorithms that help secure a network > >>>> connection that uses Transport Layer Security (TLS) or Secure Socket > >> Layer > >>>> (SSL). The set of algorithms that cipher suites usually contain > >> include: a > >>>> key exchange algorithm, a bulk encryption algorithm, and a message > >>>> authentication code (MAC) algorithm.. The key exchange algorithm is > >> used to > >>>> exchange a key between two devices. > >>>>> en.wikipedia.org > >>>>> > >>>>> > >>>>> HTH > >>>>> Martin > >>>>> -- > >>>>> Jan Høydahl > >>>>> Cominvent AS - www.cominvent.com<http://www.cominvent.com> > >>>>> > >>>> > >>>> > >> > >> > >
