Ji Jed, On Saturday, May 5, 2018 at 10:34:56 AM UTC-7, Jed Carty wrote:
> There are plenty of secure ways to use node as an externally facing > server, I have one set up for tiddlywiki. But security is a difficult > problem and it isn't obvious where there are security concerns, even to > experienced security people. It is generally a good idea to go with a more > conservative approach to security. > > Yes. Security is messy. Which is why I assume that node isn't meant to be web-facing. I suppose you can use some sort of vpn. But it might be better to use syncthing which has security baked-in from the start. > > As a developer I do have responsibility for the things that I create so I > am never going to make something that serves on 0.0.0.0 by default, nor > anything that serves any file from the hard drive by default because it is > unreasonable to expect everyone who uses what I make to understand the > security and privacy implications of that. > Uhmm ... when I launch your multi-user node (a few days older version) I get Serving on 0.0.0.0:8080 > I'm pretty sure *I* didn't put that 0.0.0.0 there. Unless it's the dust-bunnies carousing in my memory palace. Anything that we make as the basic version of tiddlywiki should be as safe > as possible. That means no serving arbitrary files by default. If people > want to change the settings they are free to do that, but here there be > dragons. > True, but it's not in there at all. Nor any warning or direction about images. And no alert about the dangers of coffee-shop use, which for a lot of people is a main use-case. -- Mark -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/290d6424-c79a-4f70-a650-974478c0a536%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
