Return-Path: X-Original-To: apmail-couchdb-marketing-archive@minotaur.apache.org Delivered-To: apmail-couchdb-marketing-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 840A8101F9 for ; Mon, 16 Feb 2015 15:20:13 +0000 (UTC) Received: (qmail 11510 invoked by uid 500); 16 Feb 2015 15:19:51 -0000 Delivered-To: apmail-couchdb-marketing-archive@couchdb.apache.org Received: (qmail 11484 invoked by uid 500); 16 Feb 2015 15:19:51 -0000 Mailing-List: contact marketing-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: marketing@couchdb.apache.org Delivered-To: mailing list marketing@couchdb.apache.org Received: (qmail 11473 invoked by uid 99); 16 Feb 2015 15:19:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 15:19:50 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [188.94.27.146] (HELO nms02.nmmn.com) (188.94.27.146) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 15:19:46 +0000 Received: from localhost (localhost [127.0.0.1]) by nms02.nmmn.com (Postfix) with ESMTP id B0A875458FF for ; Mon, 16 Feb 2015 16:19:24 +0100 (CET) Received: from nms02.nmmn.com ([127.0.0.1]) by localhost (nms02.nmmn.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQ-ru+h-ZuFu for ; Mon, 16 Feb 2015 16:19:18 +0100 (CET) Received: from mail-la0-f48.google.com (mail-la0-f48.google.com [209.85.215.48]) by nms02.nmmn.com (Postfix) with ESMTPSA id 48F4454510F for ; Mon, 16 Feb 2015 16:19:18 +0100 (CET) Received: by labpn19 with SMTP id pn19so29630678lab.4 for ; Mon, 16 Feb 2015 07:19:17 -0800 (PST) X-Received: by 10.153.4.44 with SMTP id cb12mr12152196lad.26.1424099957886; Mon, 16 Feb 2015 07:19:17 -0800 (PST) MIME-Version: 1.0 Reply-To: andy@nms.de Received: by 10.112.52.35 with HTTP; Mon, 16 Feb 2015 07:18:47 -0800 (PST) In-Reply-To: References: <480B23FF-4180-492A-80B1-A4C9FA0A831B@thehoodiefirm.com> From: Andy Wenk Date: Mon, 16 Feb 2015 16:18:47 +0100 Message-ID: Subject: Re: For next NEWS - MongoDB security To: "marketing@couchdb.apache.org" Content-Type: multipart/alternative; boundary=001a1133afa01d54d8050f361c8b X-Virus-Checked: Checked by ClamAV on apache.org --001a1133afa01d54d8050f361c8b Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 16 February 2015 at 15:19, Jan Lehnardt wrote: > Would not add anything to news just yet. We might have a =E2=80=9CSecurin= g > CouchDB=E2=80=9D guide at some point which can be linked to, then :) > +1 > > Best > Jan > -- > > > On 16 Feb 2015, at 15:09, Lena Reinhard wrote: > > > > Hi folks, > > > > thanks for sending over these links, Andy! To be quite honest, I'm not > sure what to take out from the discussion that followed in terms of the > News though. Could one of you help me clarify? > > > > Best, > > Lena > > > > > >> On 12 Feb 2015, at 12:00, Alexander Shorin wrote: > >> > >> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt wrote: > >>>> On 12 Feb 2015, at 11:44, Alexander Shorin wrote: > >>>> > >>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt wrote= : > >>>>>> On 12 Feb 2015, at 09:51, Andy Wenk wrote: > >>>>>> > >>>>>> Alex, > >>>>>> > >>>>>> this is the marketing list. It is applicable that if you do not > configure > >>>>>> CouchDB correctly you have security issues. All I want to say here > is the > >>>>>> fact, that not only MongoDB has security leaks when not configured > >>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So > it is > >>>>>> worth mentioning the findings by these students in the news by > pointing to > >>>>>> their website or paper. > >>>>>> > >>>>>> You are welcome to write an article or blog post about how to secu= re > >>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison > with > >>>>>> MongoDB. Would be extremely cool to then point to the article. > >>>>> > >>>>> I remember writing such a thing, but I can=E2=80=99t recall where. = Anyone > remember? :) > >>>> > >>>> This one? > >>>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-step= s > >>> > >>> Well, that wasn=E2=80=99t written by me, but this will do as a start. > >>> > >>> I want to make sure we communicate that a default CouchDB installatio= n > *is* > >>> secure and that we are thinking hard and long about how to not trick > people > >>> into accidentally exposing their data. Because that=E2=80=99s what we= do and > always > >>> have done. > >> > >> Ah, you mean your post...no, I don't even recall such. But even those > >> that I posted here needs in additional notes about require_valid_user > >> option and https. > >> > >> It's hard to say if "default installation is secure". It doesn't open > >> for the world by default, but every one is admin there. Is it secure? > >> Technically, no. Could arbitrary evil user hack such installation from > >> outside? Technically, again, no, unless user that installed CouchDB > >> made additional actions to expose it to the world (reverse proxy) or > >> if evil user has access to localhost - with first thing we cannot do > >> anything as like as with the second one. > >> > >> -- > >> ,,,^..^,,, > > > > --=20 Andy Wenk Hamburg - Germany RockIt! http://www.couchdb-buch.de http://www.pg-praxisbuch.de GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588 https://people.apache.org/keys/committer/andywenk.asc --001a1133afa01d54d8050f361c8b--