kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ismael Juma (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-3665) Default ssl.endpoint.identification.algorithm should be https
Date Fri, 06 May 2016 13:51:13 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-3665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15274052#comment-15274052
] 

Ismael Juma commented on KAFKA-3665:
------------------------------------

[~Ryan P], that sounds great. The reason why I want to do that separately is that we have
a bit more time to update the documentation (as it's not included with released artifacts),
but if we want to do a code change for 0.10.0.0, then it has to be merged before the next
RC.

If we decide to just do the documentation change, then we can close this issue and just keep
the other one. Does that make sense?

> Default ssl.endpoint.identification.algorithm should be https
> -------------------------------------------------------------
>
>                 Key: KAFKA-3665
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3665
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.9.0.1
>            Reporter: Ismael Juma
>            Assignee: Ismael Juma
>             Fix For: 0.10.0.0
>
>
> The default `ssl.endpoint.identification.algorithm` is `null` which is not a secure default
(man in the middle attacks are possible).
> We should probably use `https` instead. A more conservative alternative would be to update
the documentation instead of changing the default.
> A paper on the topic (thanks to Ryan Pridgeon for the reference): http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message