| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | Gregory Stark <stark(at)enterprisedb(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: SSL cleanups/hostname verification |
| Date: | 2008-10-21 15:41:25 |
| Message-ID: | 20081021154125.GC5062@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Oct 21, 2008 at 02:41:11PM +0300, Peter Eisentraut wrote:
> >Preventing casual snooping without preventing MitM is a rational choice
> >for system administrators.
>
> I am not an expert in these things, but it seems to me that someone who
> can casually snoop can also casually insert DHCP or DNS packages and
> redirect traffic. There is probably a small niche where just encryption
> without server authentication prevents information leaks, but it is not
> clear to me where this niche is or how it can be defined, and I
> personally wouldn't encourage this sort of setup.
The example I know of is where there is a passive monitoring system
which monitors and logs all network traffic. In this case MitM is not
an issue because that's being monitored for. But avoiding the extra
duplication of confidential data is worth something.
It's not exactly a huge user group, but it exists.
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while
> boarding. Thank you for flying nlogn airlines.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Fetter | 2008-10-21 15:45:11 | Re: automatic parser generation for ecpg |
| Previous Message | Hannu Krosing | 2008-10-21 15:18:05 | Re: Withdraw PL/Proxy from commitfest |