It seemed strange to me that the protected mode text warning gives a long winded explanation on 3 ways to disable protected mode first, and leaves the most desireable (change the bind address or password) option for last with a much more brief and less helpful explanation.<p>I would have done a long detailed explanation on bind addr/password, and a "you can also disable protected mode by looking up how to do it on XXXXX" at the end.<p>Based on my experience with product design decisions, that detail right there probably had a huge impact on the actual adoption of the desired choice.
I love Redis, and antirez is a genius. The simple solution is usually the most secure: Redis should just bind to <i>localhost</i> by default, unless it's specifically told to bind to other interfaces.
I think while it’s bad to have people thinking that Redis has “security” issues, no matter what you do people will find ways to work around it.<p>I personally would like to see Redis focus on what it’s best for and not add additional “features” for the purpose of PR.<p>Redis is an awesome piece of software, but at the end of the day, the user of the software is responsible for using it properly.
Surely the real WTF here is that Redis allows unauthenticated connections over the network at all?<p>I appreciate that it's too late to go back and change this, as it would break existing installations on upgrade, but perhaps it's worth pointing that out for the benefit of future server developers.<p>If you want to make things easy for initial setup, you could allow unauthenticated connections over UNIX domain sockets, and/or the loopback interface. And perhaps only if there is no password configured?<p>If you want to really make it hard for users to screw up, how about requiring the admin to configure a password for remote access, but also generating some random secret on installation or first boot, and requiring both for authentication. Then, even a weak password doesn't make it easy for a remote attacker to gain access.