| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Alvaro Herrera" <alvherre(at)commandprompt(dot)com>, "Bruce Momjian" <bruce(at)momjian(dot)us>, "Dan Kaminsky" <dan(at)doxpara(dot)com>, <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Date: | 2008-08-19 09:34:46 |
| Message-ID: | 87tzdh5ow9.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
"Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> Actually, I had missed that the OP was looking at 7.3 rather than 8.3.
> There was a "verify_peer()" in 7.3 but it was #ifdef'd out. The
> question remains whether there's a reason to have it. It would be good
> if the discussion were based on a non-obsolete PG version ...
Well in theory SSL without at least one-way authentication is actually
worthless. It's susceptible to man-in-the-middle attacks meaning someone can
sniff all the contents or even inject into or take over connections. It is
proof against passive attacks but active attacks are known in the field so
that's cold comfort these days.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Get trained by Bruce Momjian - ask me about EnterpriseDB's PostgreSQL training!
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dan Kaminsky | 2008-08-19 15:58:06 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Previous Message | Tom Lane | 2008-08-18 23:36:43 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |