[jira] [Commented] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16523698#comment-16523698 ] Jan Zerebecki commented on ZOOKEEPER-3069: -- Perhaps: DIGEST-MD5 and MD5 are different things. > document: is mutual auth with DIGEST-MD5 insecure? > -- > > Key: ZOOKEEPER-3069 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069 > Project: ZooKeeper > Issue Type: Bug > Components: documentation >Reporter: Jan Zerebecki >Priority: Minor > > The [documentation regarding mutual ZooKeeper server to server authentication > with > DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication] > currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared > obsolete in 2011 due to security > problems.|https://tools.ietf.org/html/rfc6331] > This is in relation to whether this is an effective mitigation for > CVE-2018-8012 AKA ZOOKEEPER-1045, as mentioned in > [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E]. > Would the following be a fitting addition to the documentation?: > DIGEST-MD5 based authentication should not be relied on for authentication as > it is insecure, it is only provided for test purposes. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16523694#comment-16523694 ] Jan Zerebecki commented on ZOOKEEPER-3069: -- [~maoling], how does what you said relate to the topic of this bug? > document: is mutual auth with DIGEST-MD5 insecure? > -- > > Key: ZOOKEEPER-3069 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069 > Project: ZooKeeper > Issue Type: Bug > Components: documentation >Reporter: Jan Zerebecki >Priority: Minor > > The [documentation regarding mutual ZooKeeper server to server authentication > with > DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication] > currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared > obsolete in 2011 due to security > problems.|https://tools.ietf.org/html/rfc6331] > This is in relation to whether this is an effective mitigation for > CVE-2018-8012 AKA ZOOKEEPER-1045, as mentioned in > [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E]. > Would the following be a fitting addition to the documentation?: > DIGEST-MD5 based authentication should not be relied on for authentication as > it is insecure, it is only provided for test purposes. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (ZOOKEEPER-3069) document: is mutual auth with DIGEST-MD5 insecure?
Jan Zerebecki created ZOOKEEPER-3069: Summary: document: is mutual auth with DIGEST-MD5 insecure? Key: ZOOKEEPER-3069 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3069 Project: ZooKeeper Issue Type: Bug Components: documentation Reporter: Jan Zerebecki The [documentation regarding mutual ZooKeeper server to server authentication with DIGEST-MD5|https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication#Server-Servermutualauthentication-DIGEST-MD5basedauthentication] currently doesn't mention whether this is insecure. [DIGEST-MD5 was declared obsolete in 2011 due to security problems.|https://tools.ietf.org/html/rfc6331] This is in relation to whether this is an effective mitigation for CVE-2018-8012 AKA ZOOKEEPER-1045, as mentioned in [https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E]. Would the following be a fitting addition to the documentation?: DIGEST-MD5 based authentication should not be relied on for authentication as it is insecure, it is only provided for test purposes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
