Clarifications on the Incapsula Redis security report

Clarifications on the Incapsula Redis security report(antirez.com)

47 points by bjerun 7 years ago | 13 comments

gomox 7 years ago |

It seemed strange to me that the protected mode text warning gives a long winded explanation on 3 ways to disable protected mode first, and leaves the most desireable (change the bind address or password) option for last with a much more brief and less helpful explanation.

I would have done a long detailed explanation on bind addr/password, and a "you can also disable protected mode by looking up how to do it on XXXXX" at the end.

Based on my experience with product design decisions, that detail right there probably had a huge impact on the actual adoption of the desired choice.

antirez 7 years ago | |

I agree, thanks for the suggestion.

gomox 7 years ago | | |

Thanks to you, for the awesome software!

jamiesonbecker 7 years ago |

I love Redis, and antirez is a genius. The simple solution is usually the most secure: Redis should just bind to localhost by default, unless it's specifically told to bind to other interfaces.

mirceal 7 years ago |

I think while it’s bad to have people thinking that Redis has “security” issues, no matter what you do people will find ways to work around it.

I personally would like to see Redis focus on what it’s best for and not add additional “features” for the purpose of PR.

Redis is an awesome piece of software, but at the end of the day, the user of the software is responsible for using it properly.

twic 7 years ago |

Surely the real WTF here is that Redis allows unauthenticated connections over the network at all?

I appreciate that it's too late to go back and change this, as it would break existing installations on upgrade, but perhaps it's worth pointing that out for the benefit of future server developers.

If you want to make things easy for initial setup, you could allow unauthenticated connections over UNIX domain sockets, and/or the loopback interface. And perhaps only if there is no password configured?

If you want to really make it hard for users to screw up, how about requiring the admin to configure a password for remote access, but also generating some random secret on installation or first boot, and requiring both for authentication. Then, even a weak password doesn't make it easy for a remote attacker to gain access.

antirez 7 years ago | |

Hello twic, since version 4 Redis by default does not accept connections that are not originating from localhost. Yet we have still problems! Please read the blog post for the exact details about why sane defaults were not enough.

snowwolf 7 years ago | | |

I think the point the parent is trying to make is why allow options 1-3 (disable protected mode) at all? Why not require only option 4 to accept non localhost connections?

Although that doesn’t stop someone setting up an install script with a “default” password that becomes known.

twic 7 years ago | | |

I read the blog post; what i learned from it is that because sane default choices aren't enough, you also have to disallow insane explicit choices!

Kiro 7 years ago | |

I don't want to bother with authentication if it's within my own private network.

brasetvik 7 years ago | | |

And that's why server side request forgery (SSRF) is so dangerous.