On 16 February 2015 at 15:19, Jan Lehnardt <[email protected]> wrote: > Would not add anything to news just yet. We might have a “Securing > CouchDB” guide at some point which can be linked to, then :) >
+1 > > Best > Jan > -- > > > On 16 Feb 2015, at 15:09, Lena Reinhard <[email protected]> wrote: > > > > Hi folks, > > > > thanks for sending over these links, Andy! To be quite honest, I'm not > sure what to take out from the discussion that followed in terms of the > News though. Could one of you help me clarify? > > > > Best, > > Lena > > > > > >> On 12 Feb 2015, at 12:00, Alexander Shorin <[email protected]> wrote: > >> > >> On Thu, Feb 12, 2015 at 1:46 PM, Jan Lehnardt <[email protected]> wrote: > >>>> On 12 Feb 2015, at 11:44, Alexander Shorin <[email protected]> wrote: > >>>> > >>>> On Thu, Feb 12, 2015 at 1:36 PM, Jan Lehnardt <[email protected]> wrote: > >>>>>> On 12 Feb 2015, at 09:51, Andy Wenk <[email protected]> wrote: > >>>>>> > >>>>>> Alex, > >>>>>> > >>>>>> this is the marketing list. It is applicable that if you do not > configure > >>>>>> CouchDB correctly you have security issues. All I want to say here > is the > >>>>>> fact, that not only MongoDB has security leaks when not configured > >>>>>> correctly but also CouchDB (and mySQL, and PostgreSQL and ...). So > it is > >>>>>> worth mentioning the findings by these students in the news by > pointing to > >>>>>> their website or paper. > >>>>>> > >>>>>> You are welcome to write an article or blog post about how to secure > >>>>>> CouchDB and which mechanisms are offered. Maybe also in comparison > with > >>>>>> MongoDB. Would be extremely cool to then point to the article. > >>>>> > >>>>> I remember writing such a thing, but I can’t recall where. Anyone > remember? :) > >>>> > >>>> This one? > >>>> http://podefr.tumblr.com/post/30895595277/securing-couchdb-in-3-steps > >>> > >>> Well, that wasn’t written by me, but this will do as a start. > >>> > >>> I want to make sure we communicate that a default CouchDB installation > *is* > >>> secure and that we are thinking hard and long about how to not trick > people > >>> into accidentally exposing their data. Because that’s what we do and > always > >>> have done. > >> > >> Ah, you mean your post...no, I don't even recall such. But even those > >> that I posted here needs in additional notes about require_valid_user > >> option and https. > >> > >> It's hard to say if "default installation is secure". It doesn't open > >> for the world by default, but every one is admin there. Is it secure? > >> Technically, no. Could arbitrary evil user hack such installation from > >> outside? Technically, again, no, unless user that installed CouchDB > >> made additional actions to expose it to the world (reverse proxy) or > >> if evil user has access to localhost - with first thing we cannot do > >> anything as like as with the second one. > >> > >> -- > >> ,,,^..^,,, > > > > -- Andy Wenk Hamburg - Germany RockIt! http://www.couchdb-buch.de http://www.pg-praxisbuch.de GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588 https://people.apache.org/keys/committer/andywenk.asc
