From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
Cc: | Gregory Stark <stark(at)enterprisedb(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: SSL cleanups/hostname verification |
Date: | 2008-10-21 11:20:14 |
Message-ID: | 82C1C7CB-F4AE-46E4-A404-C59F3525794E@hagander.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 21 okt 2008, at 13.12, Martijn van Oosterhout <kleptog(at)svana(dot)org>
wrote:
> On Tue, Oct 21, 2008 at 11:55:32AM +0100, Gregory Stark wrote:
>> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
>>
>>> You seem to be making the assertion that making an encrypted
>>> connection
>>> to an untrusted server is worse than making a plaintext connection
>>> to
>>> an untrusted server, which seems bogus to me.
>>
>> Hm, is it? If you use good old traditional telnet you know you're
>> typing on an
>> insecure connection. If you use ssh you expect it to be secure and
>> indeed ssh
>> throws up big errors if it fails to get a secure connection -- it
>> doesn't
>> silently fall back to an insecure connection.
>
> SSH is a good example, it only works with self-signed certificates,
> and
> relies on the client to check it. Libpq provides a mechanism for the
> client to verify the server's certificate, and that is safe even if it
> is self-signed.
Are you referring to the method we have now? If so, it has two
problems: it's not enforceable from the app, and it's off by default.
Other than that, it works.
> If the client knows the certificate the server is supposed to present,
> then you can't have a man-in-the-middle attack, right? Whether it's
> self-signed or not is irrelevent.
Yes. The importance being that it must know which, and not just
blindly accept anything.
>
> Preventing casual snooping without preventing MitM is a rational
> choice
> for system administrators.
>
Yes, but it should not be the default. It still allows you to do this...
/mha
From | Date | Subject | |
---|---|---|---|
Next Message | Ted Wong | 2008-10-21 11:33:04 | TSEARCH2 Thesaurus limitations |
Previous Message | BRUSSER Michael | 2008-10-21 11:14:54 | corrupted pg_proc? |