From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new |
Date: | 2008-12-01 15:05:50 |
Message-ID: | 4933FD4E.4040703@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers pgsql-hackers |
Robert Haas wrote:
>>> 2. I can't see any possible way that matching a single component could
>>> create security holes that would be eliminated by matching multiple
>>> components, but I'm more skeptical about the other direction. What
>>> about the old DNS hack where you create a DNS record for
>>> example.com.sample.com and hijack connections intended for example.com
>>> made by people whose default DNS suffix is sample.com? There may be
>>> reason to believe this isn't a problem, but matching less seems like
>>> it can't possibly be a bad thing.
>> Right, but that's all about being careful not to give out certs like
>> "*.postgres.*".
>
> Errrr...no. The point is that if you've hacked sample.com's DNS
> server, you might have a cert for *.sample.com, but you might NOT have
> a cert for example.com.
Oh, now I see. Yes, it would break on that. But I don't really see the
problem:
* If you have a cert for *.sample.com, you trust sample.com
* All you can do is direct traffic *to* sample.com, which is trusted.
But I guess it could be a potential issue with global CAs, if you just
blindly add them to the trust list.
//Magnus
From | Date | Subject | |
---|---|---|---|
Next Message | Magnus Hagander | 2008-12-01 15:31:46 | Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new |
Previous Message | Robert Haas | 2008-12-01 15:02:39 | Re: Re: [COMMITTERS] pgsql: Add support for matching wildcard server certificates to the new |
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2008-12-01 15:07:47 | Re: New to_timestamp implementation is pretty strict |
Previous Message | David E. Wheeler | 2008-12-01 15:02:59 | Re: New to_timestamp implementation is pretty strict |