Re: Should I enforce ssl/local socket use?

On Sun, Jun 7, 2020 at 10:32:39AM +1000, Tim Cross wrote:
>
> Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com> writes:
>
> > Hello,
> >
> > I'm the author of the pgsodium cryptography library. I have a question
> > about a best practice I'm thinking of enforcing. Several functions in
> > pgsodium generate secrets, I want to check the Proc info to enforce that
> > those functions can only be called using a local domain socket or an ssl
> > connection. If the connection isn't secure by that definition, secret
> > generating functions will fail.
> >
> > If someone really wants to point the gun at their foot, they can connect
> > with an unsecured proxy. My goal would be to make bypassing the check
> > annoying.
> >
> > Any thoughts? Is this an insufferably rude attitude? Are there scenarios
> > where one can foresee needing to generate secrets not over ssl or a domain
> > socket?
> >
>
> I'm never very fond of enforcing a particular behaviour as it assumes we
> understand all environments and use cases. Far better to make this the
> default behaviour, but allow users to disable it if they want and
> clearly document that option as insecure. I also suspect that without
> the ability to somehow disable the checks, people will find elaborate
> ways to work around them which are almost certainly going to be even
> worse from a security perspective.

You also have to allow a way to disable it that is secure or it is
useless, which makes it even more complex.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com

The usefulness of a cup is in its emptiness, Bruce Lee