| From: | "Chris Ochs" <chris(at)paymentonline(dot)com> |
|---|---|
| To: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Feature idea |
| Date: | 2004-06-15 15:21:03 |
| Message-ID: | 006501c452ec$5f783750$250a8b0a@chris |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
As much as I hate to say it, if it would be insecure when not using ssl,
this is a feature that people would definitely use insecurely and one day it
would be labeled as a 'security hole' in postgresql.
Chris
----- Original Message -----
From: "Bill Moran" <wmoran(at)potentialtech(dot)com>
To: "Bruce Momjian" <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: <chris(at)paymentonline(dot)com>; <pgsql-general(at)postgresql(dot)org>
Sent: Tuesday, June 15, 2004 8:13 AM
Subject: Re: [GENERAL] Feature idea
> Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> wrote:
>
> > Chris Ochs wrote:
> > >
> > > What if SET SESSION AUTHORIZATION could also accept a password so that
non
> > > superusers could switch to a different user? How difficult would this
be?
> >
> > Well, the password would go over the wire unencrypted, causing a
> > security problem.
>
> Only if encrypted transport is not enabled. With encrypted transport, it
would
> be as secure as anything else, right?
>
> Perhaps, it could only be available if transmission encryption is enabled?
Then
> again, there's a certain amount of "only the user can shoot his own foot"
that
> has to be accepted ...
>
> Just thinking out loud ...
>
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Chris Ochs | 2004-06-15 15:23:17 | Fw: Feature idea |
| Previous Message | Bill Moran | 2004-06-15 15:13:19 | Re: Feature idea |