Skip site navigation (1) Skip section navigation (2)

Re: Spoofing as the postmaster

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Marko Kreen <markokr(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Spoofing as the postmaster
Date: 2007-12-29 03:44:49
Message-ID: 200712290344.lBT3inv08687@momjian.us (view raw or flat)
Thread:
Lists: pgsql-hackers
Tomasz Ostrowski wrote:
> On Sun, 23 Dec 2007, Tom Lane wrote:
> 
> > ISTM we have these action items:
> > 1. Improve the code so that SSL authentication can be used across a
> > Unix-socket connection (we can disable encryption though).
> 
> I've just realised that there's a problem with SSL with disabled
> encryption on a unix socket / localhost connections for cpu-saving.
> Any local user using this attack would be able to eavesdrop
> everything comming through a socket.
> 
> If an attacker just acts as a tunnel, highjacking a unix-socket and
> talking to a server using any other interface (or the other way
> around), then he would not be able to modify information flow, but he
> would be able to read and save everything going to and from a server.
> It is again not obvious as normally local connections are not
> susceptible to eavesdropping. And could go unnoticed for a long time
> as everything would just work normally.
> 
> So I think no cpu-saving by turning off encryption should be done.
> 
> And this would all not help for a denial-of-service attack.

Good point.  I have added the last two sentences to the documentation
paragraph to highlight this issue:

   <productname>OpenSSL</productname> supports a wide range of ciphers
   and authentication algorithms, of varying strength.  While a list of
   ciphers can be specified in the <productname>OpenSSL</productname>
   configuration file, you can specify ciphers specifically for use by
   the database server by modifying <xref linkend="guc-ssl-ciphers"> in
   <filename>postgresql.conf</>.  It is possible to have authentication
   without the overhead of encryption by using <literal>NULL-SHA</> or
   <literal>NULL-MD5</> ciphers.  However, a man-in-the-middle could read
   and pass communications between client and server.

-- 
  Bruce Momjian  <bruce(at)momjian(dot)us>        http://momjian.us
  EnterpriseDB                             http://postgres.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

In response to

Responses

pgsql-hackers by date

Next:From: Mark MielkeDate: 2007-12-29 03:52:58
Subject: Re: Spoofing as the postmaster
Previous:From: Bruce MomjianDate: 2007-12-29 03:23:18
Subject: Re: Spoofing as the postmaster

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group