Re: BUG #4340: SECURITY: Is SSL Doing Anything?

From: Gregory Stark <stark(at)enterprisedb(dot)com>
To: "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: "Alvaro Herrera" <alvherre(at)commandprompt(dot)com>, "Bruce Momjian" <bruce(at)momjian(dot)us>, "Dan Kaminsky" <dan(at)doxpara(dot)com>, <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?
Date: 2008-08-19 09:34:46
Message-ID: 87tzdh5ow9.fsf@oxford.xeocode.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:

> Actually, I had missed that the OP was looking at 7.3 rather than 8.3.
> There was a "verify_peer()" in 7.3 but it was #ifdef'd out. The
> question remains whether there's a reason to have it. It would be good
> if the discussion were based on a non-obsolete PG version ...

Well in theory SSL without at least one-way authentication is actually
worthless. It's susceptible to man-in-the-middle attacks meaning someone can
sniff all the contents or even inject into or take over connections. It is
proof against passive attacks but active attacks are known in the field so
that's cold comfort these days.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Get trained by Bruce Momjian - ask me about EnterpriseDB's PostgreSQL training!

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Dan Kaminsky 2008-08-19 15:58:06 Re: BUG #4340: SECURITY: Is SSL Doing Anything?
Previous Message Tom Lane 2008-08-18 23:36:43 Re: BUG #4340: SECURITY: Is SSL Doing Anything?