Re: SCRAM with channel binding downgrade attack

From: Michael Paquier <michael(at)paquier(dot)xyz>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: SCRAM with channel binding downgrade attack
Date: 2018-06-23 13:30:19
Message-ID: 20180623133019.GC7708@paquier.xyz
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-www

On Fri, Jun 22, 2018 at 11:01:53PM -0400, Bruce Momjian wrote:
> Uh, as I am understanding it, if we don't allow clients to force channel
> binding, then channel binding is useless because it cannot prevent
> man-in-the-middle attacks. I am sure some users will try to use it, and
> not understand that it serves no purpose. If we then allow clients to
> force channel binding in PG 12, they will then need to fix their
> clients.
>
> I suggest that if we don't allow users to use channel binding
> effectively that we should remove all documentation about this
> feature.

Well, I don't agree with this position as the protocol put in place for
SCRAM with or without channel binding perfectly allows a client to
enforce the use channel binding. While that's missing for libpq, other
clients like JDBC or npgsql could perfectly implement that before this
gets in Postgres core in the shape they want. So I think that the docs
should be kept.
--
Michael

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2018-06-23 14:07:01 Re: SCRAM with channel binding downgrade attack
Previous Message Michael Paquier 2018-06-23 13:25:58 Re: Incorrect errno used with %m for backend code

Browse pgsql-www by date

  From Date Subject
Next Message Bruce Momjian 2018-06-23 14:07:01 Re: SCRAM with channel binding downgrade attack
Previous Message Bruce Momjian 2018-06-23 03:01:53 Re: SCRAM with channel binding downgrade attack