To have to reconfigure an example server just to
allow connections from other hosts is kinda a big price to pay
A big price? I’m sorry, but changing “127.0.0.1” to “*” is not a big price. I mean, if that’s a big price, then the price of moving the example config into place and using it must be enormous, but that’s what’s expected to get a secure config. How are new users to overcome such a challenge? Anybody just screwing around with redis for development is running it on the same machine anyway, so localhost only wouldn’t be a major impediment.
Shodan lists 15.617 publicly accessible redis instances. I assume that a lot of them didn’t bother to change the defaults. I agree completely, changing that single default to bind to localhost would prevent a ton of people from shooting themselves in the foot.
Honestly, the idea of a “trusted network” is wholly counter to a defense in depth strategy. It’s a damn shame to see that redis doesn’t provide sane defaults, and that the onus for that is falling on package maintainers. This isn’t a problem just with redis, it seems to be with many other caches as well. This seems like a gross oversight, since stealing or modifying cache contents could be a massive security issue.
That said, I am happy to see that while they used to traditionally tell people to use a stunnel, the developers have revisited the issue and TLS support is coming.
The varnish people have an relatively elaborated argument for not having SSL in their system core: https://www.varnish-cache.org/docs/trunk/phk/ssl.html