Re: ssl connections to postgresql

From: Lincoln Yeoh <lyeoh(at)pop(dot)jaring(dot)my>
To: "James B(dot) Byrne" <byrnejb(at)harte-lyne(dot)ca>, pgsql-general(at)postgresql(dot)org
Subject: Re: ssl connections to postgresql
Date: 2007-07-27 16:31:54
Message-ID: 200707271634.l6RGYwLk096533@smtp6.jaring.my
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

At 05:13 AM 7/25/2007, James B. Byrne wrote:

>I can connect from the httpd host to the postgresql host using psql and it
>shows that an ssl connection with a 256 bit key is in use. However, I
>would like to verify that the web app is also using ssl and I cannot seem
>to find any logging setting or other mechanism that will explicitly state
>that the connection made by this application is using ssl.

The way to verify it is to look at the traffic (e.g. use tcpdump or
ethereal or sniffer) and see what is actually happening.

Using SSL is good, but if the network between the database and
webserver is "fairly trusted/secured" in my opinion it is usually
much easier to break into the webserver remotely than sniff traffic
between a webserver and the database server remotely (unless you are
doing something seriously wrong ;) ). If the situation really calls
for SSL, you might as well use certs on both sides to prevent MITM attacks.

Because usually once you get onto the webserver, whatever the webapp
can do, you can do.

The other way to get unauthorized access to data, is to steal/copy
the database backup tapes, or work as a cleaner and stick strange
little devices between the keyboards and the computers and fetch the
passwords later.

Lastly if an attacker is in a position to sniff traffic between your
webserver and database server, you're in trouble already.

Regards,
Link.

In response to

Browse pgsql-general by date

  From Date Subject
Next Message mwsenecal 2007-07-27 16:33:37 Require entry of MD5 hash instead of plaintext password?
Previous Message Merlin Moncure 2007-07-27 15:56:36 Re: How do I create a database if I can't connect to it?