Return-Path: X-Original-To: apmail-couchdb-marketing-archive@minotaur.apache.org Delivered-To: apmail-couchdb-marketing-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EEDC010EC4 for ; Mon, 16 Feb 2015 14:10:04 +0000 (UTC) Received: (qmail 49213 invoked by uid 500); 16 Feb 2015 14:10:04 -0000 Delivered-To: apmail-couchdb-marketing-archive@couchdb.apache.org Received: (qmail 49177 invoked by uid 500); 16 Feb 2015 14:10:04 -0000 Mailing-List: contact marketing-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: marketing@couchdb.apache.org Delivered-To: mailing list marketing@couchdb.apache.org Received: (qmail 49166 invoked by uid 99); 16 Feb 2015 14:10:04 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 14:10:04 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [74.125.82.48] (HELO mail-wg0-f48.google.com) (74.125.82.48) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 14:09:37 +0000 Received: by mail-wg0-f48.google.com with SMTP id l18so26509551wgh.7 for ; Mon, 16 Feb 2015 06:09:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=nmqjvcUcprz4o2Awz5MF75clief9foRRTyq4tyy8UI0=; b=QfLYt4W+SIISpgGdrtmSrI6RDn4sunAb94pKgH0U1lgjoIyIZfinO0x1lbI38M6WH5 kRNMatFz270Kgh7RYCfAwcoCYKcU0g1Dv0lVNzEUYElBg94pEhB6+SjiZGv0KEylrZ1r 2Nazum1+FC2w4OoMusatoxuZPHe2+WMoumn2YtRTyGMdNxb4sCHLLjNaqWkAMwM7v2ag GgzNXfhB93TKhRWq0no0qnGpTf8D7uSbWbDpOGuBs9I7PITlaP8/aWskcKTLNvBERye8 kzotS7nPCH4q5e0pvzbTjZ+DIuZw6kywZSkA1D3zdf/RaTUTZbFXbfMr8NmVgJgMYhuv d2RQ== X-Gm-Message-State: ALoCoQlxYCuV7gt1smPQZv07Fvh3Qae4dyKQMm4utZTeB2f/KZ84zTU4jh/ImJRscf1hs3DJcKxR X-Received: by 10.180.20.167 with SMTP id o7mr46086340wie.50.1424095755959; Mon, 16 Feb 2015 06:09:15 -0800 (PST) Received: from [192.168.4.138] (p5795A531.dip0.t-ipconnect.de. [87.149.165.49]) by mx.google.com with ESMTPSA id j9sm23023488wjy.18.2015.02.16.06.09.13 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 16 Feb 2015 06:09:15 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: For next NEWS - MongoDB security From: Lena Reinhard In-Reply-To: Date: Mon, 16 Feb 2015 15:09:12 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <480B23FF-4180-492A-80B1-A4C9FA0A831B@thehoodiefirm.com> References: To: marketing@couchdb.apache.org X-Mailer: Apple Mail (2.1993) X-Virus-Checked: Checked by ClamAV on apache.org Hi folks, thanks for sending over these links, Andy! To be quite honest, I'm not = sure what to take out from the discussion that followed in terms of the = News though. Could one of you help me clarify? Best, Lena > On 12 Feb 2015, at 12:00, Alexander Shorin wrote: >=20 > On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt wrote: >>> On 12 Feb 2015, at 11:44, Alexander Shorin wrote: >>>=20 >>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt = wrote: >>>>> On 12 Feb 2015, at 09:51, Andy Wenk wrote: >>>>>=20 >>>>> Alex, >>>>>=20 >>>>> this is the marketing list. It is applicable that if you do not = configure >>>>> CouchDB correctly you have security issues. All I want to say here = is the >>>>> fact, that not only MongoDB has security leaks when not configured >>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So = it is >>>>> worth mentioning the findings by these students in the news by = pointing to >>>>> their website or paper. >>>>>=20 >>>>> You are welcome to write an article or blog post about how to = secure >>>>> CouchDB and which mechanisms are offered. Maybe also in comparison = with >>>>> MongoDB. Would be extremely cool to then point to the article. >>>>=20 >>>> I remember writing such a thing, but I can=E2=80=99t recall where. = Anyone remember? :) >>>=20 >>> This one? >>> = http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps >>=20 >> Well, that wasn=E2=80=99t written by me, but this will do as a start. >>=20 >> I want to make sure we communicate that a default CouchDB = installation *is* >> secure and that we are thinking hard and long about how to not trick = people >> into accidentally exposing their data. Because that=E2=80=99s what we = do and always >> have done. >=20 > Ah, you mean your post...no, I don't even recall such. But even those > that I posted here needs in additional notes about require_valid_user > option and https. >=20 > It's hard to say if "default installation is secure". It doesn't open > for the world by default, but every one is admin there. Is it secure? > Technically, no. Could arbitrary evil user hack such installation from > outside? Technically, again, no, unless user that installed CouchDB > made additional actions to expose it to the world (reverse proxy) or > if evil user has access to localhost - with first thing we cannot do > anything as like as with the second one. >=20 > -- > ,,,^..^,,,