| From: | Marko Kreen <marko(at)l-t(dot)ee> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: [Fwd: [CORE SDI ADVISORY] MySQL weak authentication] |
| Date: | 2000-10-25 21:37:13 |
| Message-ID: | 20001025233713.B12278@l-t.ee |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Oct 25, 2000 at 10:27:15AM -0600, Bruce Guenter wrote:
> On Tue, Oct 24, 2000 at 10:25:14AM -0400, Lamar Owen wrote:
> > I am forwarding this not to belittle MySQL, but to hopefully help in the
> > development of our own encryption protocol for secure password
> > authentication over the network.
> >
> > The point being is that if we offer the protocol to do it, we had better
> > ensure its security, or someone WILL find the hole. Hopefully it will
> > be people who want to help security and not exploit it.
>
> IMO, anything short of a full SSL wrapped connection is fairly
> pointless. What does it matter if the password is encrypted if
> sensitive query data flows in the clear?
Passwords are sensitive too. They are actually orthogonal,
for data security we need something like SSL, but for
authentication/password security we need some strong authentication
scheme anyway.
--
marko
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2000-10-26 03:01:08 | Re: bug in views/aggregates |
| Previous Message | Marko Kreen | 2000-10-25 21:27:25 | Re: [Fwd: [CORE SDI ADVISORY] MySQL weak authentication] |