> On 12 Feb 2015, at 09:51, Andy Wenk <[email protected]> wrote: > > Alex, > > this is the marketing list. It is applicable that if you do not configure > CouchDB correctly you have security issues. All I want to say here is the > fact, that not only MongoDB has security leaks when not configured > correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So it is > worth mentioning the findings by these students in the news by pointing to > their website or paper. > > You are welcome to write an article or blog post about how to secure > CouchDB and which mechanisms are offered. Maybe also in comparison with > MongoDB. Would be extremely cool to then point to the article.
I remember writing such a thing, but I can’t recall where. Anyone remember? :) > > Cheers > > Andy > > On 12 February 2015 at 09:31, Alexander Shorin <[email protected]> wrote: > >> On Thu, Feb 12, 2015 at 11:09 AM, Andy Wenk <[email protected]> wrote: >>> The name MongoDB is interchangeable with CouchDB because: >>> >>> "The respective users of MongoDB are responsible for configuring their >>> databases in a secure manner." >>> >>> Again, change MongoDB with CouchDB. >> >> I don't think this is applicable. >> >> 1) CouchDB by default doesn't listens 0.0.0.0, just localhost; >> 2) It's ok for CouchDB to be open for the world (without Admin Party); >> 3) Users are always in response for security of their services and >> correct setup; >> 4) It's always possible to make your setup vulnerable due to >> misconfiguration >> >> You may also remember epic story about served .git and .svn >> directories on major web sites long time ago. Because their deployment >> was based on VCS and HTTP wasn't configures to exclude these files >> from serving this doesn't means that Git or SVN or Apache HTTPd are in >> risk zone. >> >> Since 2.0 we disallow join nodes into cluster with Admin Party on >> board. As for single node, there was an idea to prevent setting >> bind_address to something different from localhost when Admin Party is >> on. While this worths to implement in anyway, there is nothing stops >> users to just setup reverse-proxy in front of such CouchDB and provide >> world wide access with server admin bits for everyone on the Internet. >> >> But we could encourage users to keep their CouchDB in secure by >> providing server audit feature out of the box which reads config file, >> database security objects and prints out report with the _possible_ >> security issues. Currently, there are few of such implementations made >> as third-party projects which almost none uses in real for everyday (I >> just think so). >> >> -- >> ,,,^..^,,, >> > > > > -- > Andy Wenk > Hamburg - Germany > RockIt! > > GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588 > > https://people.apache.org/keys/committer/andywenk.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail
