couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Wenk <a...@nms.de>
Subject Re: For next NEWS - MongoDB security
Date Mon, 16 Feb 2015 15:18:47 GMT
On 16 February 2015 at 15:19, Jan Lehnardt <jan@apache.org> wrote:

> Would not add anything to news just yet. We might have a “Securing
> CouchDB” guide at some point which can be linked to, then :)
>

+1


>
> Best
> Jan
> --
>
> > On 16 Feb 2015, at 15:09, Lena Reinhard <lena@thehoodiefirm.com> wrote:
> >
> > Hi folks,
> >
> > thanks for sending over these links, Andy! To be quite honest, I'm not
> sure what to take out from the discussion that followed in terms of the
> News though. Could one of you help me clarify?
> >
> > Best,
> > Lena
> >
> >
> >> On 12 Feb 2015, at 12:00, Alexander Shorin <kxepal@gmail.com> wrote:
> >>
> >> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <jan@apache.org> wrote:
> >>>> On 12 Feb 2015, at 11:44, Alexander Shorin <kxepal@gmail.com>
wrote:
> >>>>
> >>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <jan@apache.org>
wrote:
> >>>>>> On 12 Feb 2015, at 09:51, Andy Wenk <andywenk@apache.org>
wrote:
> >>>>>>
> >>>>>> Alex,
> >>>>>>
> >>>>>> this is the marketing list. It is applicable that if you do
not
> configure
> >>>>>> CouchDB correctly you have security issues. All I want to say
here
> is the
> >>>>>> fact, that not only MongoDB has security leaks when not configured
> >>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...).
So
> it is
> >>>>>> worth mentioning the findings by these students in the news
by
> pointing to
> >>>>>> their website or paper.
> >>>>>>
> >>>>>> You are welcome to write an article or blog post about how to
secure
> >>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison
> with
> >>>>>> MongoDB. Would be extremely cool to then point to the article.
> >>>>>
> >>>>> I remember writing such a thing, but I can’t recall where. Anyone
> remember? :)
> >>>>
> >>>> This one?
> >>>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps
> >>>
> >>> Well, that wasn’t written by me, but this will do as a start.
> >>>
> >>> I want to make sure we communicate that a default CouchDB installation
> *is*
> >>> secure and that we are thinking hard and long about how to not trick
> people
> >>> into accidentally exposing their data. Because that’s what we do and
> always
> >>> have done.
> >>
> >> Ah, you mean your post...no, I don't even recall such. But even those
> >> that I posted here needs in additional notes about require_valid_user
> >> option and https.
> >>
> >> It's hard to say if "default installation is secure". It doesn't open
> >> for the world by default, but every one is admin there. Is it secure?
> >> Technically, no. Could arbitrary evil user hack such installation from
> >> outside? Technically, again, no, unless user that installed CouchDB
> >> made additional actions to expose it to the world (reverse proxy) or
> >> if evil user has access to localhost - with first thing we cannot do
> >> anything as like as with the second one.
> >>
> >> --
> >> ,,,^..^,,,
> >
>
>


-- 
Andy Wenk
Hamburg - Germany
RockIt!

http://www.couchdb-buch.de
http://www.pg-praxisbuch.de

GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588

https://people.apache.org/keys/committer/andywenk.asc

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message