Would not add anything to news just yet. We might have a “Securing CouchDB” guide at some point which can be linked to, then :)
Best Jan -- > On 16 Feb 2015, at 15:09, Lena Reinhard <[email protected]> wrote: > > Hi folks, > > thanks for sending over these links, Andy! To be quite honest, I'm not sure > what to take out from the discussion that followed in terms of the News > though. Could one of you help me clarify? > > Best, > Lena > > >> On 12 Feb 2015, at 12:00, Alexander Shorin <[email protected]> wrote: >> >> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <[email protected]> wrote: >>>> On 12 Feb 2015, at 11:44, Alexander Shorin <[email protected]> wrote: >>>> >>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <[email protected]> wrote: >>>>>> On 12 Feb 2015, at 09:51, Andy Wenk <[email protected]> wrote: >>>>>> >>>>>> Alex, >>>>>> >>>>>> this is the marketing list. It is applicable that if you do not configure >>>>>> CouchDB correctly you have security issues. All I want to say here is the >>>>>> fact, that not only MongoDB has security leaks when not configured >>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So it is >>>>>> worth mentioning the findings by these students in the news by pointing >>>>>> to >>>>>> their website or paper. >>>>>> >>>>>> You are welcome to write an article or blog post about how to secure >>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison with >>>>>> MongoDB. Would be extremely cool to then point to the article. >>>>> >>>>> I remember writing such a thing, but I can’t recall where. Anyone >>>>> remember? :) >>>> >>>> This one? >>>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps >>> >>> Well, that wasn’t written by me, but this will do as a start. >>> >>> I want to make sure we communicate that a default CouchDB installation *is* >>> secure and that we are thinking hard and long about how to not trick people >>> into accidentally exposing their data. Because that’s what we do and always >>> have done. >> >> Ah, you mean your post...no, I don't even recall such. But even those >> that I posted here needs in additional notes about require_valid_user >> option and https. >> >> It's hard to say if "default installation is secure". It doesn't open >> for the world by default, but every one is admin there. Is it secure? >> Technically, no. Could arbitrary evil user hack such installation from >> outside? Technically, again, no, unless user that installed CouchDB >> made additional actions to expose it to the world (reverse proxy) or >> if evil user has access to localhost - with first thing we cannot do >> anything as like as with the second one. >> >> -- >> ,,,^..^,,, >
signature.asc
Description: Message signed with OpenPGP using GPGMail
