| From: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
| Subject: | Re: SCRAM with channel binding downgrade attack |
| Date: | 2018-05-28 09:26:37 |
| Message-ID: | dea8f83f-9626-a56d-6137-7a23c97f7adf@iki.fi |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-www |
On 28/05/18 12:20, Michael Paquier wrote:
> On Mon, May 28, 2018 at 12:00:33PM +0300, Heikki Linnakangas wrote:
>> That's not a new problem, but it makes the MITM protection fairly pointless,
>> if a fake server can acquire the user's password by simply asking for it.
>> The client will report a failed connection, but with the user's password,
>> Mallory won't need to act as a MITM anymore.
>
> Yeah, I know.. Do you think that it would be better to add an extra
> switch/case at the beginning of pg_fe_sendauth which filters and checks
> per message types then?
Sounds good.
- Heikki
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Yuriy Zhuravlev | 2018-05-28 09:32:43 | Re: Is a modern build system acceptable for older platforms |
| Previous Message | Michael Paquier | 2018-05-28 09:20:02 | Re: SCRAM with channel binding downgrade attack |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-05-28 19:08:50 | Re: SCRAM with channel binding downgrade attack |
| Previous Message | Michael Paquier | 2018-05-28 09:20:02 | Re: SCRAM with channel binding downgrade attack |