From: | Michael Paquier <michael(at)paquier(dot)xyz> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net> |
Subject: | Re: SCRAM with channel binding downgrade attack |
Date: | 2018-06-23 13:30:19 |
Message-ID: | 20180623133019.GC7708@paquier.xyz |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-www |
On Fri, Jun 22, 2018 at 11:01:53PM -0400, Bruce Momjian wrote:
> Uh, as I am understanding it, if we don't allow clients to force channel
> binding, then channel binding is useless because it cannot prevent
> man-in-the-middle attacks. I am sure some users will try to use it, and
> not understand that it serves no purpose. If we then allow clients to
> force channel binding in PG 12, they will then need to fix their
> clients.
>
> I suggest that if we don't allow users to use channel binding
> effectively that we should remove all documentation about this
> feature.
Well, I don't agree with this position as the protocol put in place for
SCRAM with or without channel binding perfectly allows a client to
enforce the use channel binding. While that's missing for libpq, other
clients like JDBC or npgsql could perfectly implement that before this
gets in Postgres core in the shape they want. So I think that the docs
should be kept.
--
Michael
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2018-06-23 14:07:01 | Re: SCRAM with channel binding downgrade attack |
Previous Message | Michael Paquier | 2018-06-23 13:25:58 | Re: Incorrect errno used with %m for backend code |
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2018-06-23 14:07:01 | Re: SCRAM with channel binding downgrade attack |
Previous Message | Bruce Momjian | 2018-06-23 03:01:53 | Re: SCRAM with channel binding downgrade attack |