Re: Spoofing as the postmaster

Tomasz Ostrowski wrote:
> On Sun, 23 Dec 2007, Tom Lane wrote:
>> 3. Massive confusion and breakage as various people transition to the
>> new standard at different times.
>
> As with any major version.

No, it would introduce a client/server incompatibility. Generally, older
clients (libpq) will still work fine with newer servers, or the other
way around. Lots of attention is paid to maintaining that.

>> 4. Potential to create, rather than remove, spoofing opportunities
>> anyplace there is confusion about which port the postmaster is really
>> listening on.
>
> I agree. But because it would just not work it'll be easy to notice
> and correct. And when corrected it would be no more confusion.

It would be a perfect spot to put in the MITM attack that this whole
thread has been about...

>> Fundamentally these are man-in-the-middle attacks, and the only real
>> solution is mutual authentication.
>
> The problem is not many people expect man-in-the-middle attack on
> secure lan, localhost or local socket connection, so they'll not try
> to prevent it.

There is no such thing as a secure LAN, unless you control every host
and what every user can do on it. (Definition of LAN can be a bit
different though. Say you implement proper IPsec isolation on it - in
that case, only the machines on the inside of the ipsec "cloud" need to
be trusted)

Same thing really does go for the host - it's not a secure host if you
can't control what the users are doing on it. So you can't treat it as
such if that's the case.

//Magnus