Merge pull request #9038 from AkihiroSuda/patch-11

Strongly recommend TLS for API socket

engine/security/security.md

@@ -78,8 +78,9 @@ started in 2006, and initially merged in kernel 2.6.24.
 ## Docker daemon attack surface
 
 Running containers (and applications) with Docker implies running the
-Docker daemon. This daemon currently requires `root` privileges, and you
-should therefore be aware of some important details.
+Docker daemon. This daemon requires `root` privileges unless you opt-in
+to [Rootless mode](https://github.com/docker/engine/blob/v19.03.0-rc3/docs/rootless.md)
+(experimental), and you should therefore be aware of some important details.
 
 First of all, **only trusted users should be allowed to control your
 Docker daemon**. This is a direct consequence of some powerful Docker
@@ -108,10 +109,17 @@ socket.
 
 You can also expose the REST API over HTTP if you explicitly decide to do so.
 However, if you do that, be aware of the above mentioned security
-implications. Ensure that it is reachable only from a
-trusted network or VPN or protected with a mechanism such as `stunnel` and
-client SSL certificates. You can also secure API endpoints with [HTTPS and
-certificates](https.md).
+implications.
+Note that even if you have a firewall to limit accesses to the REST API 
+endpoint from other hosts in the network, the endpoint can be still accessible
+from containers, and it can easily result in the privilege escalation.
+Therefore it is *mandatory* to secure API endpoints with 
+[HTTPS and certificates](https.md).
+It is also recommended to ensure that it is reachable only from a trusted
+network or VPN.
+
+You can also use `DOCKER_HOST=ssh://USER@HOST` or `ssh -L /path/to/docker.sock:/var/run/docker.sock`
+instead if you prefer SSH over TLS.
 
 The daemon is also potentially vulnerable to other inputs, such as image
 loading from either disk with `docker load`, or from the network with