proposal: TLS by default for all etcd peer communication #4022
Comments
How will the TLS on peer help with the unauthed access? TLS+Auth client can only prevent outsider to corrupt the cluster. Shall we suggest people to only expose peer address in VPC or local network if possible? |
|
It is very possible that someone could use unencrypted peer communication to extract cluster secrets on the wire and unverified communication to get a snapshot of the database. I have another proposal I am writing for the client side but I think the peer side is a clear first step. |
|
@philips Yea, I agree it is helpful. I mean this proposal will not prevent the exact same issue described https://blog.shodan.io/its-still-the-data-stupid/. We need client side protection. |
|
@xiang90 agreed on client side, that is the next proposal :) |
|
@xiang90 @philips I agree with the goal of getting making TLS more widely used and using TLS for peer comms is still difficult for many users. However, it's the client side that I'm concerned about - making clients use TLS natively is problematic (especially for those of us that have to use legacy apps), but using the etcd proxy to terminate TLS for such clients is broken - #3894 |
|
Moving discussion to #9475. |
Problem: We want more people using TLS for etcd in peer communication. We don't want this to happen: https://blog.shodan.io/its-still-the-data-stupid/
Solution: Make it easier to get etcd into a TLS mode and operate the lifecycle of the cluster security and public keys. To accomplish this goal we should make TLS the default for etcd.
Proposal document: https://docs.google.com/document/d/11nC7y42N0TwJnkKvIBpNRURAfOJYiSHAGPCX-VSke2c/edit#heading=h.xubaa8vzokts
The text was updated successfully, but these errors were encountered: