| From: | Dev Kumkar <devdas(dot)kumkar(at)gmail(dot)com> |
|---|---|
| To: | Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
| Cc: | "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Heartbleed Impact |
| Date: | 2014-04-16 15:44:39 |
| Message-ID: | CALSLE1NVD15+LjR+_Yg4HMLPCa6jca6-coAZYvBgzbquXEG3ow@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Apr 16, 2014 at 6:49 PM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>wrote:
> Dev Kumkar wrote:
> >> Unless somebody changes the setting to ssl=on, there should be no
> problem.
>
> > Thanks also please help to understand - does changing this
> postgresql.conf setting enough to be
> > vulnerable here?
>
> Just changing the setting will only cause your database server to error
> out on restart - you also need to create certificates and put them into
> the server directory.
>
> So whoever does this change must know what they are doing (to some extent).
>
> Once SSL has been enabled, a cunning attacker may be able to steal
> the server's private key (if I understood the vulnerability correctly)
> and then launch man-in-the-middle attacks, i.e. impersonate the server,
> to eavesdrop on encrypted communication.
>
> The remedy would be to create a new key pair for the server.
>
> Yours,
> Laurenz Albe
>
Thanks, this really helps. Currently we are not creating certificate and
working in non SSL mode.
Regards...
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Steve Crawford | 2014-04-16 16:34:08 | Re: timezone datetime issue |
| Previous Message | Roxanne Reid-Bennett | 2014-04-16 15:42:02 | Re: Approach to Data Summary and Analysis |