From: | Bruce Momjian <bruce(at)momjian(dot)us> |
---|---|
To: | Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net> |
Subject: | Re: Postgres 11 release notes |
Date: | 2018-05-17 13:56:21 |
Message-ID: | 20180517135621.GB546@momjian.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-www |
On Thu, May 17, 2018 at 09:48:54PM +0900, Michael Paquier wrote:
> On Wed, May 16, 2018 at 09:09:22PM -0400, Bruce Momjian wrote:
> > On Thu, May 17, 2018 at 09:56:49AM +0900, Michael Paquier wrote:
> >> On Wed, May 16, 2018 at 08:20:49PM -0400, Bruce Momjian wrote:
> >>> SCRAM-with-binding is the first password method that attempts to avoid
> >>> man-in-the-middle attacks, and therefore is much less likely to be able
> >>> to trust what the endpoints supports. I think it is really the
> >>> channel_binding_mode that we want to control at the client. The lesser
> >>> modes are much more reasonable to use an automatic best-supported
> >>> negotiation, which is what we do now.
> >>
> >> Noted. Which means that the parameter is ignored when using a non-SSL
> >> connection, as well as when the server tries to enforce the use of
> >> anything else than SCRAM.
> >
> > Uh, a man-in-the-middle could prevent SSL or ask for a different
> > password authentication method and then channel binding would not be
> > used. I think when you say you want channel binding, you have to fail
> > if you don't get it.
>
> I am not exactly sure what is the result we are looking for here, so I
> am adding for now an open item which refers to this part of the thread.
> Please note that I am fine to spend cycles if needed to address any
> issues and/or concerns. Let's the discussion continue for now.
Agreed, and I just posted a more detailed email about when
authentication downgrades are possible.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2018-05-17 13:57:59 | Re: [PROPOSAL] Shared Ispell dictionaries |
Previous Message | Bruce Momjian | 2018-05-17 13:55:34 | Re: Postgres 11 release notes |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2018-05-17 14:05:25 | SCRAM with channel binding downgrade attack |
Previous Message | Bruce Momjian | 2018-05-17 13:55:34 | Re: Postgres 11 release notes |