couchdb-marketing mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lena Reinhard <>
Subject Re: For next NEWS - MongoDB security
Date Mon, 16 Feb 2015 14:09:12 GMT
Hi folks,

thanks for sending over these links, Andy! To be quite honest, I'm not sure what to take out
from the discussion that followed in terms of the News though. Could one of you help me clarify?


> On 12 Feb 2015, at 12:00, Alexander Shorin <> wrote:
> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <> wrote:
>>> On 12 Feb 2015, at 11:44, Alexander Shorin <> wrote:
>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <> wrote:
>>>>> On 12 Feb 2015, at 09:51, Andy Wenk <> wrote:
>>>>> Alex,
>>>>> this is the marketing list. It is applicable that if you do not configure
>>>>> CouchDB correctly you have security issues. All I want to say here is
>>>>> fact, that not only MongoDB has security leaks when not configured
>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So it
>>>>> worth mentioning the findings by these students in the news by pointing
>>>>> their website or paper.
>>>>> You are welcome to write an article or blog post about how to secure
>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison with
>>>>> MongoDB. Would be extremely cool to then point to the article.
>>>> I remember writing such a thing, but I can’t recall where. Anyone remember?
>>> This one?
>> Well, that wasn’t written by me, but this will do as a start.
>> I want to make sure we communicate that a default CouchDB installation *is*
>> secure and that we are thinking hard and long about how to not trick people
>> into accidentally exposing their data. Because that’s what we do and always
>> have done.
> Ah, you mean your, I don't even recall such. But even those
> that I posted here needs in additional notes about require_valid_user
> option and https.
> It's hard to say if "default installation is secure". It doesn't open
> for the world by default, but every one is admin there. Is it secure?
> Technically, no. Could arbitrary evil user hack such installation from
> outside? Technically, again, no, unless user that installed CouchDB
> made additional actions to expose it to the world (reverse proxy) or
> if evil user has access to localhost - with first thing we cannot do
> anything as like as with the second one.
> --
> ,,,^..^,,,

View raw message