Re: Successor of MD5 authentication, let's use SCRAM

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Martijn van Oosterhout <kleptog(at)svana(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net>, Will Crawford <billcrawford1970(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, Daniel Farina <daniel(at)heroku(dot)com>
Subject: Re: Successor of MD5 authentication, let's use SCRAM
Date: 2012-10-22 17:54:35
Message-ID: CA+TgmoZcc_4GWgTHtrHtuWTjRrG1KxBrLSPaaB7JVOCLh5OFkw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Oct 22, 2012 at 10:57 AM, Andrew Dunstan <andrew(at)dunslane(dot)net> wrote:
> On 10/22/2012 10:18 AM, Robert Haas wrote:
>> On Sun, Oct 21, 2012 at 11:02 AM, Martijn van Oosterhout
>> <kleptog(at)svana(dot)org> wrote:
>>>
>>> It bugs me every time you have to jump through hoops and get red
>>> warnings for an unknown CA, whereas no encryption whatsoever is treated
>>> as fine while being actually even worse.
>>
>> +1. Amen, brother.
>
> Not really, IMNSHO. The difference is that an unencrypted session isn't
> pretending to be secure. In any case, it doesn't seem too intrusive for us
> to warn, at least in psql, with something like:
>
> SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) Host Certificate
> Unverified

Well, that change wouldn't bother me at all; in fact, I like it. But
Firefox, for example, makes me do three or four clicks every time I
got to a website with an invalid SSL certificate, whereas a web site
that does not use SSL requires no clicks at all. What's the sense in
that? If we imagine that all activity is user-initiated - that is,
the user is always careful to ask for SSL when and only when they need
a higher level of security - then that's pretty sensible. But in fact
the world doesn't work that way. Most web pages are downloaded
automatically when you click on a link, and you don't normally look to
see whether SSL is in use unless you have a security concern (e.g.
because you are logging into your bank's web site). If somebody went
and trojaned my bank's web page, they wouldn't need to break the SSL
certificate; they could just remove SSL from the login page
altogether. Odds are very good that 95% of people wouldn't notice.

I think it's great to have a full-paranoia mode where anything not
kosher on the SSL connection is grounds for extreme panic. But it
shouldn't be the default. What Ubuntu is doing does not solve every
problem, but it does solve some problems, and we shouldn't go out of
our way to break it.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2012-10-22 18:04:00 Re: [PATCH] Support for Array ELEMENT Foreign Keys
Previous Message Amit kapila 2012-10-22 17:51:33 Re: [WIP PATCH] for Performance Improvement in Buffer Management