The real question is whether or not it binds to 0.0.0.0 by default, or not. Given the track record of redis, I am going to assume yes. Will also assume it supports plain text only password auth, if any, and dynamic config with filesystem writing, etc, which will of course leave lots of people open to getting pwned again.
and dynamic config with filesystem writing, etc, which will of course leave lots of people open to getting pwned again.
Not too sure about the last part but i also share in your assumption.
To be fair though, redis was never sold as a secure database only a fast one. I wonder if you could use something like stunnel to mitigate the security issues? (haven’t tried this)
Stunnel does work, and is typically the way I “secure”/use redis at work.
Redis never said it was secure, and that is fine. The problem comes from the assumption a user will have when using it. An insecure and stupid default for better developer experience is the wrong choice, when getting rooted is the potential outcome.
Unfortunately I’ve seen situations where users scream “I can’t connect to my database!” because they didn’t bind to the correct IP (and I admit to have been in that situation myself, before I knew better). But yeah, better education/tools/auto-config to increase the out-of-the-box experience is really important (which is, I believe, one of the reasons MongoDB is so popular).
I would argue that the experience of having all your data deleted by Mallory, or having someone install a rootkit, is far worse experience than a bit of frustration about not being able to connect to the database.
It is easy to add a small section in the INSTALL file that talks about this. And, if a developer is sooo inconvenienced by this, they really need to choose another career. Security, privacy, etc. is the responsibility of everyone. And, I’m tired of having to trust data to idiots that can’t be bothered to take the simplest precautions, or read an INSTALL file.
Oh, I totally agree. However, out of the devs who installed redis, what percentage experienced security breaches? To say that a breach is a worse experience than struggling to get the thing to work is true, but if most devs don’t experience a breach, they’ll see out-of-the-box experience as most important. Not saying they’re right to think that, but if the goal is adoption of a database, then that’s more important than security – at least according to the actions of such vendors.
Security, privacy, etc. is the responsibility of everyone.
Yep, except until developers and companies being legally liable for their actions (or lack thereof), I don’t see that changing very much. Lawyers can be disbarred due to carelessness, but developers not securing things, don’t, because there’s no licensing standard to be held to.
Yep, except until developers and companies being legally liable for their actions (or lack thereof), I don’t see that changing very much. Lawyers can be disbarred due to carelessness, but developers not securing things, don’t, because there’s no licensing standard to be held to.
Companies could be held accountable, and as a result individual developers (c|w)ould be held accountable. Target’s massive data breach resulted in a Class Action Lawsuit, for instance. People at Target will lose jobs (if they haven’t already). Will developers? I have no idea.
But, yes, you are mostly correct. Developers of software live in luxury in terms of accountability. Sadly.
The real question is whether or not it binds to 0.0.0.0 by default, or not. Given the track record of redis, I am going to assume yes. Will also assume it supports plain text only password auth, if any, and dynamic config with filesystem writing, etc, which will of course leave lots of people open to getting pwned again.
But, maybe I am arong.
Yes
Yes
Not too sure about the last part but i also share in your assumption.
To be fair though, redis was never sold as a secure database only a fast one. I wonder if you could use something like stunnel to mitigate the security issues? (haven’t tried this)
That’s not being fair, though. Binding to all interfaces is just a dumb default.
Stunnel does work, and is typically the way I “secure”/use redis at work.
Redis never said it was secure, and that is fine. The problem comes from the assumption a user will have when using it. An insecure and stupid default for better developer experience is the wrong choice, when getting rooted is the potential outcome.
Unfortunately I’ve seen situations where users scream “I can’t connect to my database!” because they didn’t bind to the correct IP (and I admit to have been in that situation myself, before I knew better). But yeah, better education/tools/auto-config to increase the out-of-the-box experience is really important (which is, I believe, one of the reasons MongoDB is so popular).
I would argue that the experience of having all your data deleted by Mallory, or having someone install a rootkit, is far worse experience than a bit of frustration about not being able to connect to the database.
It is easy to add a small section in the INSTALL file that talks about this. And, if a developer is sooo inconvenienced by this, they really need to choose another career. Security, privacy, etc. is the responsibility of everyone. And, I’m tired of having to trust data to idiots that can’t be bothered to take the simplest precautions, or read an INSTALL file.
Oh, I totally agree. However, out of the devs who installed redis, what percentage experienced security breaches? To say that a breach is a worse experience than struggling to get the thing to work is true, but if most devs don’t experience a breach, they’ll see out-of-the-box experience as most important. Not saying they’re right to think that, but if the goal is adoption of a database, then that’s more important than security – at least according to the actions of such vendors.
Yep, except until developers and companies being legally liable for their actions (or lack thereof), I don’t see that changing very much. Lawyers can be disbarred due to carelessness, but developers not securing things, don’t, because there’s no licensing standard to be held to.
Companies could be held accountable, and as a result individual developers (c|w)ould be held accountable. Target’s massive data breach resulted in a Class Action Lawsuit, for instance. People at Target will lose jobs (if they haven’t already). Will developers? I have no idea.
But, yes, you are mostly correct. Developers of software live in luxury in terms of accountability. Sadly.