couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: Common security pattern?
Date Sun, 03 Jan 2010 21:17:13 GMT
On Sun, Jan 3, 2010 at 12:07 PM, Sam Bisbee <sbisbee@computervip.com> wrote:
> On Sun, Jan 03, 2010 at 11:40:32AM -0800, Chris Anderson wrote:
>> I'd avoid thinking that hiding Futon provides security. Ideally users
>> would be able to get into the data via Futon if they choose. If you
>> structure your validation functions properly, this should be
>> completely secure (more secure than an http-proxy based authorization
>> model).
>
> This strikes me as an odd and interesting proposition (read: the good kind).
>
> I can think of plenty of cases where I don't want users to see all the data
> that I have related to them: ex., hashed/crypted passwords, analytics, various
> types of scores/weights, my profit margin on their purchases, etc. Allowing
> users to inspect documents about themselves through Futon would allow them to
> see all those goodies.
>
> Also, I have always been of the mind that even if something doesn't inherently
> cause a security flaw, that you shouldn't give it to your users if you don't
> need to (users are too good at breaking things in ways that you don't expect,
> especially the malicious ones).
>
> Not that I'm not a fan of open APIs (actually, I'm a huge fan), but even those
> enforce validation/rules.
>
> Or were you discussing a specific use case?
>

The use case I'm thinking of is any that involves CouchDB on the net.
If you have data you don't want read, it should go into a
read-restricted database (please do implement...). Otherwise,
validation functions are the 100% best way to prevent unwanted
updates.

The worry is that someone will think they've added security by
disallowing access to /_utils. As long as you allow users's browsers
to access CouchDB via HTTP, you should cross the t's and dot the i's
of validation functions, so that you are confident enough to allow
Futon access. Anything less is security by obscurity.

Chris

-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message