couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: DB ACLs (was Re: 0.11 Release / Feature Freeze for 1.0)
Date Thu, 04 Feb 2010 00:36:56 GMT
On Wed, Feb 3, 2010 at 1:35 PM, Brian Candler <B.Candler@pobox.com> wrote:
> On Wed, Feb 03, 2010 at 09:24:26PM +0000, Brian Candler wrote:
>> > > (9) The _users db itself is world-readable (showing not only who your users
>> > > are, but their password hashes). Highly undesirable.
>> >
>> > I actually consider this a feature. We'd like to get some stronger
>> > password hashing (see the bcrypt threads) which should help with the
>> > password parts.
>
> Actually, passwords aren't even the issue. Just revealing the *usernames* of
> all the users on the system is the problem.
>
> For example, if I were a competitor to couch.io, I would be very happy to
> download a list of customers I should be poaching :-)

In couch.io each customer gets an entire couchdb server, so no worries
about that.

Chris



-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message