Return-Path: X-Original-To: apmail-couchdb-marketing-archive@minotaur.apache.org Delivered-To: apmail-couchdb-marketing-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2A19E10F58 for ; Mon, 16 Feb 2015 14:20:21 +0000 (UTC) Received: (qmail 72249 invoked by uid 500); 16 Feb 2015 14:20:20 -0000 Delivered-To: apmail-couchdb-marketing-archive@couchdb.apache.org Received: (qmail 72212 invoked by uid 500); 16 Feb 2015 14:20:20 -0000 Mailing-List: contact marketing-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: marketing@couchdb.apache.org Delivered-To: mailing list marketing@couchdb.apache.org Received: (qmail 72201 invoked by uid 99); 16 Feb 2015 14:20:20 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 14:20:20 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [95.143.172.184] (HELO monoceres.uberspace.de) (95.143.172.184) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 16 Feb 2015 14:19:56 +0000 Received: (qmail 22548 invoked from network); 16 Feb 2015 14:19:34 -0000 Received: from localhost (HELO p200300452b72c0236db32e455e44270e.dip0.t-ipconnect.de) (127.0.0.1) by monoceres.uberspace.de with SMTP; 16 Feb 2015 14:19:34 -0000 Subject: Re: For next NEWS - MongoDB security Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_973D0CF0-9DA3-4BD4-A195-085B54B0D4F7"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5b5 From: Jan Lehnardt In-Reply-To: <480B23FF-4180-492A-80B1-A4C9FA0A831B@thehoodiefirm.com> Date: Mon, 16 Feb 2015 15:19:29 +0100 Message-Id: References: <480B23FF-4180-492A-80B1-A4C9FA0A831B@thehoodiefirm.com> To: marketing@couchdb.apache.org X-Mailer: Apple Mail (2.1993) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_973D0CF0-9DA3-4BD4-A195-085B54B0D4F7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Would not add anything to news just yet. We might have a =E2=80=9CSecuring= CouchDB=E2=80=9D guide at some point which can be linked to, then :) Best Jan -- > On 16 Feb 2015, at 15:09, Lena Reinhard = wrote: >=20 > Hi folks, >=20 > thanks for sending over these links, Andy! To be quite honest, I'm not = sure what to take out from the discussion that followed in terms of the = News though. Could one of you help me clarify? >=20 > Best, > Lena >=20 >=20 >> On 12 Feb 2015, at 12:00, Alexander Shorin wrote: >>=20 >> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt wrote: >>>> On 12 Feb 2015, at 11:44, Alexander Shorin = wrote: >>>>=20 >>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt = wrote: >>>>>> On 12 Feb 2015, at 09:51, Andy Wenk wrote: >>>>>>=20 >>>>>> Alex, >>>>>>=20 >>>>>> this is the marketing list. It is applicable that if you do not = configure >>>>>> CouchDB correctly you have security issues. All I want to say = here is the >>>>>> fact, that not only MongoDB has security leaks when not = configured >>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). = So it is >>>>>> worth mentioning the findings by these students in the news by = pointing to >>>>>> their website or paper. >>>>>>=20 >>>>>> You are welcome to write an article or blog post about how to = secure >>>>>> CouchDB and which mechanisms are offered. Maybe also in = comparison with >>>>>> MongoDB. Would be extremely cool to then point to the article. >>>>>=20 >>>>> I remember writing such a thing, but I can=E2=80=99t recall where. = Anyone remember? :) >>>>=20 >>>> This one? >>>> = http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps >>>=20 >>> Well, that wasn=E2=80=99t written by me, but this will do as a = start. >>>=20 >>> I want to make sure we communicate that a default CouchDB = installation *is* >>> secure and that we are thinking hard and long about how to not trick = people >>> into accidentally exposing their data. Because that=E2=80=99s what = we do and always >>> have done. >>=20 >> Ah, you mean your post...no, I don't even recall such. But even those >> that I posted here needs in additional notes about require_valid_user >> option and https. >>=20 >> It's hard to say if "default installation is secure". It doesn't open >> for the world by default, but every one is admin there. Is it secure? >> Technically, no. Could arbitrary evil user hack such installation = from >> outside? Technically, again, no, unless user that installed CouchDB >> made additional actions to expose it to the world (reverse proxy) or >> if evil user has access to localhost - with first thing we cannot do >> anything as like as with the second one. >>=20 >> -- >> ,,,^..^,,, >=20 --Apple-Mail=_973D0CF0-9DA3-4BD4-A195-085B54B0D4F7 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJU4fxzAAoJENnuAeR4Uq7k3uEQAKazf2Q4iFhjio3I9JucSZNf TSVYjRQxO33CMnYQm21Kr7gP+6k8NoxCG1a0jaEpBKj/foWzvpBIRV85yiTsQmyN 2rMiCs4MllVngS6Otf2xNsqShcqZk85QcwfOs7OlZi4RFz+2g8fjKstvu4ZlQHIA DGLJeodX6ckezcYMeIbcAXnHOHs/c+r0TvkKD7hldYNPDXFlY0sL66s6DPHopmeR FAuL8zY07WxSbOk4rtmsWqcqBY08N8gW0GcBvIz+G6oi67ZpfFvG5+5Q6RwOYpIW Bh0TrBOqAlu+aMPOnA8TEnyj1V9fLYxYEJ8N2CSSQjBAwuAoo4LMErsPNe/6oOxD SfIgKcX8UhWj15zhAlq0p3G/4/MxbhuxfgY4ReCOZMuO5sp2W9lpSo9KP51Kp3T/ VeMePXF9tgBCrK4urTcWUvII46GHg0zBJkQM7TxgJDT9Jl07u4ySzyRBOpr4dYfz iN8fegg4/U7e+e2jcTT7Cih34+8IC0nlx9SF4pl/hqOgs7ayviaSPwNvVF9fUsfN yTJ3lRZSr1nmeQ8CdT0PPQJRl631QpYiy+jQCczqroupH82g+1EMBkHQfFf66ric y9N2xuIjmaAD/mRjDra9q2TL0tmQ9ETyclA+wJIxmQYnhj5TeDYX1J/SYmO2dksX IQ1yQq0ot21YZKcVLFJ4 =8KHp -----END PGP SIGNATURE----- --Apple-Mail=_973D0CF0-9DA3-4BD4-A195-085B54B0D4F7--