[baseten-users] Client-server app

Marko Karppinen marko at karppinen.fi
Mon Jul 6 13:33:46 EEST 2009 

On 5.7.2009, at 23.23, Daniel Brajkovic wrote:

> Sorry, I just cant let it go. Tuukka,  I hope you had a great holiday.
>
> I found this link describing how he used Distributed Objects with  
> CoreData.  I tried to adapt it to BaseTen.  But no luck.  Maybe  
> you'll have better luck.

Hi Daniel -- I've been following this discussion from the start but  
haven't been able to participate before. Sorry about that. Let's start  
from the beginning.

You wanted to have a BaseTen application work over the internet, but  
were cautioned not to make Postgres itself accessible to the whole  
world. That's sound advice, generally called Security in Depth: all  
things being equal, adding another layer of security should make the  
whole system more secure.

All things are never equal, though. Postgres in particular has a very  
solid and mature security infrastructure, and it's fine-grained  
permission system is likely to be much more secure than anything you'd  
roll on your own. And that's crucial here, because if you think about  
it, your plan of using DO is not adding a layer of security on top of  
Postgres's, but is instead replacing the security layer Postgres  
provides by your own code in the Cocoa layer.

This is true of most web application frameworks, too: typically the  
app server accesses the database with near-to-superuser privileges,  
leaving the framework's security layer as the only protection between  
an attacker and all of your data.

I'm not saying that web application frameworks -- or your Cocoa code  
-- are insecure, though. I'm just saying that there's no reason to  
believe they more secure than Postgres.

Here's my recommendation:

The VPN suggestion was a sensible one, and I think you turned it down  
because of the idea of your users needing the fiddle with VPN settings  
etc -- surely a non-starter. But thinking of VPN a bit more broadly,  
it would surely be possible to integrate pseudo-VPN functionality into  
your app so that your users wouldn't need to worry about it at all.

Specifically, I'm thinking of your application automatically opening  
an SSH tunnel onto your database server. This would make the Postgres  
socket only accessible to licensed users of your app.

Finally, as you've already found out, DO is not without its problems.  
Here's a blog post outlining many of them: http://mooseyard.com/Jens/2009/07/the-subtle-dangers-of-distributed-objects/

To me, that stuff sounds way worse than exposing a well-secured  
Postgres instance to your paying subscribers.

Marko

More information about the baseten-users mailing list