|
|
|
|
|
|
by jdsully
2646 days ago
|
|
|
Because if you make any mistake at all Redis will allow you shell access to the machine. This is not a theoretical attack Antirez tells you how to do it in his blog post. And as you said, nobody bothers to tunnel with TLS. Your lucky if they even use a password. |
|
|
- Has practically nothing other than Redis on it.
- Has Redis running with minimal permissions and capabilities.
- Has no ability to make outgoing connections.
Which I'd say is vital security practice for anything running in production.
Few people will bother with TLS and you can see that based on the fact that I don't think cloud providers generally support it, but I personally did do this with stunnel at a time. Apparently Redis now recommends spiped, which looks good to me.