couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject Re: For next NEWS - MongoDB security
Date Mon, 16 Feb 2015 14:19:29 GMT
Would not add anything to news just yet. We might have a “Securing CouchDB” guide at some
point which can be linked to, then :)

Best
Jan
--

> On 16 Feb 2015, at 15:09, Lena Reinhard <lena@thehoodiefirm.com> wrote:
> 
> Hi folks,
> 
> thanks for sending over these links, Andy! To be quite honest, I'm not sure what to take
out from the discussion that followed in terms of the News though. Could one of you help me
clarify?
> 
> Best,
> Lena
> 
> 
>> On 12 Feb 2015, at 12:00, Alexander Shorin <kxepal@gmail.com> wrote:
>> 
>> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <jan@apache.org> wrote:
>>>> On 12 Feb 2015, at 11:44, Alexander Shorin <kxepal@gmail.com> wrote:
>>>> 
>>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <jan@apache.org> wrote:
>>>>>> On 12 Feb 2015, at 09:51, Andy Wenk <andywenk@apache.org> wrote:
>>>>>> 
>>>>>> Alex,
>>>>>> 
>>>>>> this is the marketing list. It is applicable that if you do not configure
>>>>>> CouchDB correctly you have security issues. All I want to say here
is the
>>>>>> fact, that not only MongoDB has security leaks when not configured
>>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So
it is
>>>>>> worth mentioning the findings by these students in the news by pointing
to
>>>>>> their website or paper.
>>>>>> 
>>>>>> You are welcome to write an article or blog post about how to secure
>>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison
with
>>>>>> MongoDB. Would be extremely cool to then point to the article.
>>>>> 
>>>>> I remember writing such a thing, but I can’t recall where. Anyone remember?
:)
>>>> 
>>>> This one?
>>>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps
>>> 
>>> Well, that wasn’t written by me, but this will do as a start.
>>> 
>>> I want to make sure we communicate that a default CouchDB installation *is*
>>> secure and that we are thinking hard and long about how to not trick people
>>> into accidentally exposing their data. Because that’s what we do and always
>>> have done.
>> 
>> Ah, you mean your post...no, I don't even recall such. But even those
>> that I posted here needs in additional notes about require_valid_user
>> option and https.
>> 
>> It's hard to say if "default installation is secure". It doesn't open
>> for the world by default, but every one is admin there. Is it secure?
>> Technically, no. Could arbitrary evil user hack such installation from
>> outside? Technically, again, no, unless user that installed CouchDB
>> made additional actions to expose it to the world (reverse proxy) or
>> if evil user has access to localhost - with first thing we cannot do
>> anything as like as with the second one.
>> 
>> --
>> ,,,^..^,,,
> 


Mime
View raw message