| From: | "Keith C(dot) Perry" <netadmin(at)vcsn(dot)com> |
|---|---|
| To: | Chris Travers <chris(at)travelamericas(dot)com> |
| Cc: | Greg Stark <gsstark(at)mit(dot)edu>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: cryptography, was Drawbacks of using BYTEA for PK? |
| Date: | 2004-01-13 16:04:27 |
| Message-ID: | 1074009867.4004170bc1f34@webmail.vcsn.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Quoting Chris Travers <chris(at)travelamericas(dot)com>:
> From: "Keith C. Perry" <netadmin(at)vcsn(dot)com>
> > Using an MD5 hash to
> > "hide" them will slow your app down by some delta and not protect your
> > connection. Granted garbling that id with a password is somewhat more
> secure
> > but your connection could still be attacked or even hijacked.
> >
> > In the URL's you gave above, why are you not using HTTPS (i.e.
> authentication)?
> > What about using a crytographic cookies to identify your session and link
> that
> > to you userid (after authorization)?
>
> Https I can see. I am having difficulty understanding how you could use
> cryptographic cookies to prevent session hijacking though given the current
> setup.
Cryptographic cookies are actually how TCP SYN flood protection is done on Linux
and I think Solaris so in my case the OS is handling that. What is implemented
there could be implemented at the application layer but I don't think that
becomes valid once you are using HTTPS since is provide similar facilities.
In my applications, I simply have Apache push a cookie to the browser (during
authorization) which is then used as the session key. Additionally, I almost
always use POST methods instead of GET (I hate exposing application logic that
way). Ever time a user does something, the presence of that cookie is checked
in the database.
> Also you could use ssl between the web server and PostgreSQL to
> secure that connection.
True but that is only half the story. You're client interface is what is
public. I would SSL the web <--> db connection as a standard but I would be
less concerned about (what I'm assumming is) a local connection behind the DMZ.
> As a side question: Does PostgreSQL support using Kerberos for encrypted
> connections (beyond authentication), or do you need to use SSL for that?
>
> Best Wishes,
> Chris Travers
>
Not sure about that one but if so, I'm sure someone will speak up :)
--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Keith G. Murphy | 2004-01-13 16:13:24 | Best practice? Web application: single PostgreSQL user vs. multiple users |
| Previous Message | John Sidney-Woollett | 2004-01-13 15:55:52 | Re: Nested transaction workaround? |