| From: | Sam Mason <sam(at)samason(dot)me(dot)uk> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: postgresql.key secure storage |
| Date: | 2009-09-14 16:37:09 |
| Message-ID: | 20090914163709.GZ5407@samason.me.uk |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Mon, Sep 14, 2009 at 12:17:55PM -0400, Tom Lane wrote:
> Sam Mason <sam(at)samason(dot)me(dot)uk> writes:
> > On Mon, Sep 14, 2009 at 05:45:14PM +0200, Saleem EDAH-TALLY wrote:
> >> How can a user extract data from a container, by whatever
> >> name we call it, if he does not have the key to open it ?
>
> > Exactly the same way that libpq does--debuggers are powerful tools!
>
> Or even easier, modify the source code of libpq to print out the data
> after it's extracted it.
Yup, I suppose you could even modify libpq to rewrite the "good" SQL
into whatever the attackers wants--bypassing any secret based scheme
completely.
> Security in an open-source world requires
> a different set of tools than security in a closed-source world.
Strictly speaking, a debugger is the universal mallet :)
Also, it shouldn't change much. Security through obscurity is never
good, it is employed far too often though thankfully (a bit) less in
open-source programs.
--
Sam http://samason.me.uk/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-09-14 16:37:37 | Re: Checkpoint request failed, permission denied |
| Previous Message | Cory Isaacson | 2009-09-14 16:23:08 | Re: Checkpoint request failed, permission denied |