Skip site navigation (1) Skip section navigation (2)

Re: BUG #4340: SECURITY: Is SSL Doing Anything?

From: Dan Kaminsky <dan(at)doxpara(dot)com>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?
Date: 2008-08-19 20:35:24
Message-ID: 48AB2E8C.8020602@doxpara.com (view raw or flat)
Thread:
Lists: pgsql-bugs
>> 1) No roots (but still works for some unknown reason)
>> 2) Explicitly configured corporate roots
>> 3) Explicitly configured corporate roots, AND global roots
>> 4) Global roots (but still works for some unknown reason)
>>
>> Keep in mind that at least Debian distributes a ca-certificates package,
>> and I can't imagine they're alone.
>>     
>
> My guess is you'll find both options 1 and 2 fairly often, and 3 and 4
> very seldom.
> (Note that if you configure libpq for no roots, it will accept any
> certificate without verifying the chain)
>   
So, if you do nothing special, it's #1?  Sounds like the path of least 
resistance is no security.  Uh oh.
> That's one of the things, yeah, agreed. I meant the internals part only
> as an argument for why you'll see most pg deployments not using global
> certs.
>
> OTOH, if your firewall lets your clients (or even worse - your webserver
> or so) connect out to arbitrary machines on the PostgreSQL port, it can
> easily be argued that you have a lot of homework to do elsewhere as well
> ;-) But that's just a mitigating factor, and not a solution.
>
>   
It's hard enough to manage inbound firewall rules.  Outbound?  
Fuggetaboutit :)

--Dan


In response to

Responses

pgsql-bugs by date

Next:From: Peter EisentrautDate: 2008-08-20 11:39:28
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?
Previous:From: Magnus HaganderDate: 2008-08-19 20:20:33
Subject: Re: BUG #4340: SECURITY: Is SSL Doing Anything?

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group