Re: [PATCHES] Backend SSL configuration enhancement

"Victor B. Wagner" <vitus(at)cryptocom(dot)ru> writes:

> One example which can be tested with stock OpenSSL without national
> cryptography modules is - usage of NULL ciphers. They are not enabled by
> default, but use of them provides cryptographically strong
> authentication with client certificates and data consistency checking
> with MAC algorithm, but avoids overhead of encryption.
>
> Consider situation when data are public anyway, but data modification
> should be properly authorized.

I'm not sure that's a particularly good use case. There are attacks in the
wild that hijack existing TCP connections. If you only authenticate
connections and then even with the MAC checks I think you would have a chance
of being able to take over the connection.

That said it doesn't mean there aren't valid use cases. If for example you
wanted to do some initial data load without encryption but didn't want to have
to reconfigure your network to allow connections on different ports.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com