| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
| Subject: | Re: SCRAM with channel binding downgrade attack |
| Date: | 2018-05-28 09:20:02 |
| Message-ID: | 20180528092002.GC27845@paquier.xyz |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-www |
On Mon, May 28, 2018 at 12:00:33PM +0300, Heikki Linnakangas wrote:
> That's not a new problem, but it makes the MITM protection fairly pointless,
> if a fake server can acquire the user's password by simply asking for it.
> The client will report a failed connection, but with the user's password,
> Mallory won't need to act as a MITM anymore.
Yeah, I know.. Do you think that it would be better to add an extra
switch/case at the beginning of pg_fe_sendauth which filters and checks
per message types then?
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2018-05-28 09:26:37 | Re: SCRAM with channel binding downgrade attack |
| Previous Message | Michael Paquier | 2018-05-28 09:17:18 | Re: pg_replication_slot_advance to return NULL instead of 0/0 if slot not advanced |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2018-05-28 09:26:37 | Re: SCRAM with channel binding downgrade attack |
| Previous Message | Heikki Linnakangas | 2018-05-28 09:00:33 | Re: SCRAM with channel binding downgrade attack |