You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@iotdb.apache.org by Dawei Liu <at...@163.com> on 2020/04/13 03:26:46 UTC

About the security issues that mqtt-server is turned on by default


Hi,


Xiangdong and I had an interesting discussion on github[1]. 


We reached an agreement that mqtt-server would be turned on by default for the user. 


But I think the security details still need to be discussed.


Can anyone provide some advice on security?






[1] https://github.com/apache/incubator-iotdb/pull/1033






Thanks
---
Dawei Liu

Re: About the security issues that mqtt-server is turned on by default

Posted by Jialin Qiao <qj...@mails.tsinghua.edu.cn>.
Hi,

I read the discussion and it really hard to decide...

If we open the MQTT port by default, should we open the HTTP service in the future?

Thanks,
--
Jialin Qiao
School of Software, Tsinghua University

乔嘉林
清华大学 软件学院

> -----原始邮件-----
> 发件人: "伍 雄" <la...@hotmail.com>
> 发送时间: 2020-04-13 14:15:26 (星期一)
> 收件人: "dev@iotdb.apache.org" <de...@iotdb.apache.org>
> 抄送: 
> 主题: 回复: About the security issues that mqtt-server is turned on by default
> 
> 
> I think mqtt-server shouled be shutdown by default.
> As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
> most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
> ________________________________
> 发件人: Dawei Liu <at...@163.com>
> 发送时间: 2020年4月13日 3:26
> 收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
> 主题: About the security issues that mqtt-server is turned on by default
> 
> 
> 
> Hi,
> 
> 
> Xiangdong and I had an interesting discussion on github[1].
> 
> 
> We reached an agreement that mqtt-server would be turned on by default for the user.
> 
> 
> But I think the security details still need to be discussed.
> 
> 
> Can anyone provide some advice on security?
> 
> 
> 
> 
> 
> 
> [1] https://github.com/apache/incubator-iotdb/pull/1033
> 
> 
> 
> 
> 
> 
> Thanks
> ---
> Dawei Liu
> 
>

Re: About the security issues that mqtt-server is turned on by default

Posted by Justin Mclean <ju...@classsoftware.com>.
Hi

Off by default seem the safe option to me.

Thanks,
Justin

Re: About the security issues that mqtt-server is turned on by default

Posted by Dawei Liu <at...@163.com>.
Hi,


Does anyone have a better suggestion? 
So far, more it is off by default, if no more comments, I will reopen [1], 
and write to guide the user how to open a document of this feature




[1] https://github.com/apache/incubator-iotdb/pull/1033 






Thanks
---
Dawei Liu



On 04/13/2020 20:09,Jialin Qiao<qj...@mails.tsinghua.edu.cn> wrote:
Hi Chris,

Thanks for your sharing!  +1 for disabling these services by default.
At the same time, we need to add clear instruction to let users enable these services easily.

Thanks,
--
Jialin Qiao
School of Software, Tsinghua University

乔嘉林
清华大学 软件学院

-----原始邮件-----
发件人: "Christofer Dutz" <ch...@c-ware.de>
发送时间: 2020-04-13 19:27:25 (星期一)
收件人: "dev@iotdb.apache.org" <de...@iotdb.apache.org>
抄送:
主题: Re: 回复: About the security issues that mqtt-server is turned on by default

Hi all,

I would strongly suggest not to turn on services like MQTT and HTTP per default.
The reason is that people will hold the project accountable for potential security issues that might come up.

For example in the Apache Flex project we had a sub-project called BlazeDS. This is a web-connector for Flex applications.
We had all features open per default and asked users to lock it down as needed.
Unfortunately we had to implement 3-4 CVE security bugfix releases because of this and none of them actually affected BlazeDS code, but third party code (Mostly XML libraries ore Apache Commons deserialization issues).
When I changed things to being completely locked down but making it simple for users to unlock the parts they need, we didn't have to release a single bugfix release since then.

Chris



Am 13.04.20, 08:15 schrieb "伍 雄" <la...@hotmail.com>:


I think mqtt-server shouled be shutdown by default.
As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
________________________________
发件人: Dawei Liu <at...@163.com>
发送时间: 2020年4月13日 3:26
收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
主题: About the security issues that mqtt-server is turned on by default



Hi,


Xiangdong and I had an interesting discussion on github[1].


We reached an agreement that mqtt-server would be turned on by default for the user.


But I think the security details still need to be discussed.


Can anyone provide some advice on security?






[1] https://github.com/apache/incubator-iotdb/pull/1033






Thanks
---
Dawei Liu

Re: About the security issues that mqtt-server is turned on by default

Posted by Jialin Qiao <qj...@mails.tsinghua.edu.cn>.
Hi Chris,

Thanks for your sharing!  +1 for disabling these services by default.
At the same time, we need to add clear instruction to let users enable these services easily.

Thanks,
--
Jialin Qiao
School of Software, Tsinghua University

乔嘉林
清华大学 软件学院

> -----原始邮件-----
> 发件人: "Christofer Dutz" <ch...@c-ware.de>
> 发送时间: 2020-04-13 19:27:25 (星期一)
> 收件人: "dev@iotdb.apache.org" <de...@iotdb.apache.org>
> 抄送: 
> 主题: Re: 回复: About the security issues that mqtt-server is turned on by default
> 
> Hi all,
> 
> I would strongly suggest not to turn on services like MQTT and HTTP per default. 
> The reason is that people will hold the project accountable for potential security issues that might come up. 
> 
> For example in the Apache Flex project we had a sub-project called BlazeDS. This is a web-connector for Flex applications.
> We had all features open per default and asked users to lock it down as needed. 
> Unfortunately we had to implement 3-4 CVE security bugfix releases because of this and none of them actually affected BlazeDS code, but third party code (Mostly XML libraries ore Apache Commons deserialization issues).
> When I changed things to being completely locked down but making it simple for users to unlock the parts they need, we didn't have to release a single bugfix release since then.
> 
> Chris
> 
> 
> 
> Am 13.04.20, 08:15 schrieb "伍 雄" <la...@hotmail.com>:
> 
>     
>     I think mqtt-server shouled be shutdown by default.
>     As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
>     most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
>     ________________________________
>     发件人: Dawei Liu <at...@163.com>
>     发送时间: 2020年4月13日 3:26
>     收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
>     主题: About the security issues that mqtt-server is turned on by default
>     
>     
>     
>     Hi,
>     
>     
>     Xiangdong and I had an interesting discussion on github[1].
>     
>     
>     We reached an agreement that mqtt-server would be turned on by default for the user.
>     
>     
>     But I think the security details still need to be discussed.
>     
>     
>     Can anyone provide some advice on security?
>     
>     
>     
>     
>     
>     
>     [1] https://github.com/apache/incubator-iotdb/pull/1033
>     
>     
>     
>     
>     
>     
>     Thanks
>     ---
>     Dawei Liu
>     
>     
>     
>

Re: 回复: About the security issues that mqtt-server is turned on by default

Posted by Christofer Dutz <ch...@c-ware.de>.
Hi all,

I would strongly suggest not to turn on services like MQTT and HTTP per default. 
The reason is that people will hold the project accountable for potential security issues that might come up. 

For example in the Apache Flex project we had a sub-project called BlazeDS. This is a web-connector for Flex applications.
We had all features open per default and asked users to lock it down as needed. 
Unfortunately we had to implement 3-4 CVE security bugfix releases because of this and none of them actually affected BlazeDS code, but third party code (Mostly XML libraries ore Apache Commons deserialization issues).
When I changed things to being completely locked down but making it simple for users to unlock the parts they need, we didn't have to release a single bugfix release since then.

Chris



Am 13.04.20, 08:15 schrieb "伍 雄" <la...@hotmail.com>:

    
    I think mqtt-server shouled be shutdown by default.
    As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
    most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
    ________________________________
    发件人: Dawei Liu <at...@163.com>
    发送时间: 2020年4月13日 3:26
    收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
    主题: About the security issues that mqtt-server is turned on by default
    
    
    
    Hi,
    
    
    Xiangdong and I had an interesting discussion on github[1].
    
    
    We reached an agreement that mqtt-server would be turned on by default for the user.
    
    
    But I think the security details still need to be discussed.
    
    
    Can anyone provide some advice on security?
    
    
    
    
    
    
    [1] https://github.com/apache/incubator-iotdb/pull/1033
    
    
    
    
    
    
    Thanks
    ---
    Dawei Liu

回复: About the security issues that mqtt-server is turned on by default

Posted by 伍 雄 <la...@hotmail.com>.
If force user to modify the default username and password when user frist login in. And  ensure login in  process and change password process have no security problem. I think that it is ok.
________________________________
发件人: Dawei Liu <at...@163.com>
发送时间: 2020年4月13日 7:02
收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
主题: Re: About the security issues that mqtt-server is turned on by default

Hi,


Yes, two issues to discuss
1. Whether to turn it on by default
2. Is it safe enough to provide only the security policy of username and password




Thanks
---
Dawei Liu



On 04/13/2020 14:15,伍 雄<la...@hotmail.com> wrote:

I think mqtt-server shouled be shutdown by default.
As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
________________________________
发件人: Dawei Liu <at...@163.com>
发送时间: 2020年4月13日 3:26
收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
主题: About the security issues that mqtt-server is turned on by default



Hi,


Xiangdong and I had an interesting discussion on github[1].


We reached an agreement that mqtt-server would be turned on by default for the user.


But I think the security details still need to be discussed.


Can anyone provide some advice on security?






[1] https://github.com/apache/incubator-iotdb/pull/1033






Thanks
---
Dawei Liu

Re: About the security issues that mqtt-server is turned on by default

Posted by Dawei Liu <at...@163.com>.
Hi,


Yes, two issues to discuss
1. Whether to turn it on by default
2. Is it safe enough to provide only the security policy of username and password




Thanks
---
Dawei Liu



On 04/13/2020 14:15,伍 雄<la...@hotmail.com> wrote:

I think mqtt-server shouled be shutdown by default.
As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
________________________________
发件人: Dawei Liu <at...@163.com>
发送时间: 2020年4月13日 3:26
收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
主题: About the security issues that mqtt-server is turned on by default



Hi,


Xiangdong and I had an interesting discussion on github[1].


We reached an agreement that mqtt-server would be turned on by default for the user.


But I think the security details still need to be discussed.


Can anyone provide some advice on security?






[1] https://github.com/apache/incubator-iotdb/pull/1033






Thanks
---
Dawei Liu

回复: About the security issues that mqtt-server is turned on by default

Posted by 伍 雄 <la...@hotmail.com>.
I think mqtt-server shouled be shutdown by default.
As I think It's hard to guarantee that there are no security issues in the future.  Usually user installed iotDB,
most of user defalut configuration, if mqtt-server have security issues in the future,it will be affecting many devices   if turned on by default.   We should use the minimum principle to open the port.
________________________________
发件人: Dawei Liu <at...@163.com>
发送时间: 2020年4月13日 3:26
收件人: dev@iotdb.apache.org <de...@iotdb.apache.org>
主题: About the security issues that mqtt-server is turned on by default



Hi,


Xiangdong and I had an interesting discussion on github[1].


We reached an agreement that mqtt-server would be turned on by default for the user.


But I think the security details still need to be discussed.


Can anyone provide some advice on security?






[1] https://github.com/apache/incubator-iotdb/pull/1033






Thanks
---
Dawei Liu