Re: Should I enforce ssl/local socket use?

From: Tim Cross <theophilusx(at)gmail(dot)com>
To: Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com>
Cc: pgsql-general(at)lists(dot)postgresql(dot)org
Subject: Re: Should I enforce ssl/local socket use?
Date: 2020-06-07 00:32:39
Message-ID: 874krn1zrt.fsf@gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general


Michel Pelletier <pelletier(dot)michel(at)gmail(dot)com> writes:

> Hello,
>
> I'm the author of the pgsodium cryptography library. I have a question
> about a best practice I'm thinking of enforcing. Several functions in
> pgsodium generate secrets, I want to check the Proc info to enforce that
> those functions can only be called using a local domain socket or an ssl
> connection. If the connection isn't secure by that definition, secret
> generating functions will fail.
>
> If someone really wants to point the gun at their foot, they can connect
> with an unsecured proxy. My goal would be to make bypassing the check
> annoying.
>
> Any thoughts? Is this an insufferably rude attitude? Are there scenarios
> where one can foresee needing to generate secrets not over ssl or a domain
> socket?
>

I'm never very fond of enforcing a particular behaviour as it assumes we
understand all environments and use cases. Far better to make this the
default behaviour, but allow users to disable it if they want and
clearly document that option as insecure. I also suspect that without
the ability to somehow disable the checks, people will find elaborate
ways to work around them which are almost certainly going to be even
worse from a security perspective.

--
Tim Cross

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Ron 2020-06-07 01:58:08 Re: When to use PARTITION BY HASH?
Previous Message Koen De Groote 2020-06-06 22:45:46 Re: Index no longer being used, destroying and recreating it restores use.