couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Shorin <kxe...@gmail.com>
Subject Re: For next NEWS - MongoDB security
Date Thu, 12 Feb 2015 11:00:48 GMT
On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <jan@apache.org> wrote:
>> On 12 Feb 2015, at 11:44, Alexander Shorin <kxepal@gmail.com> wrote:
>>
>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <jan@apache.org> wrote:
>>>> On 12 Feb 2015, at 09:51, Andy Wenk <andywenk@apache.org> wrote:
>>>>
>>>> Alex,
>>>>
>>>> this is the marketing list. It is applicable that if you do not configure
>>>> CouchDB correctly you have security issues. All I want to say here is the
>>>> fact, that not only MongoDB has security leaks when not configured
>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So it is
>>>> worth mentioning the findings by these students in the news by pointing to
>>>> their website or paper.
>>>>
>>>> You are welcome to write an article or blog post about how to secure
>>>> CouchDB and which mechanisms are offered. Maybe also in comparison with
>>>> MongoDB. Would be extremely cool to then point to the article.
>>>
>>> I remember writing such a thing, but I can’t recall where. Anyone remember?
:)
>>
>> This one?
>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps
>
> Well, that wasn’t written by me, but this will do as a start.
>
> I want to make sure we communicate that a default CouchDB installation *is*
> secure and that we are thinking hard and long about how to not trick people
> into accidentally exposing their data. Because that’s what we do and always
> have done.

Ah, you mean your post...no, I don't even recall such. But even those
that I posted here needs in additional notes about require_valid_user
option and https.

It's hard to say if "default installation is secure". It doesn't open
for the world by default, but every one is admin there. Is it secure?
Technically, no. Could arbitrary evil user hack such installation from
outside? Technically, again, no, unless user that installed CouchDB
made additional actions to expose it to the world (reverse proxy) or
if evil user has access to localhost - with first thing we cannot do
anything as like as with the second one.

--
,,,^..^,,,

Mime
View raw message