From: | Garick Hamlin <ghamlin(at)isc(dot)upenn(dot)edu> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Konstantin Knizhnik <k(dot)knizhnik(at)postgrespro(dot)ru> |
Subject: | Re: disable SSL compression? |
Date: | 2018-04-02 17:48:43 |
Message-ID: | 20180402174843.GA19621@isc.upenn.edu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Apr 02, 2018 at 12:46:25PM -0400, Tom Lane wrote:
> Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
> > I agree the attack is less likely to be applicable in typical database
> > installations. I think we should move forward with considering protocol
> > compression proposals, but any final result should put a warning in the
> > documentation that using compression is potentially insecure.
>
> It seemed like the attack you described wasn't all that dependent on
> whether the data is compressed or not:
I think it is.
I wrote something longer about this in 2013.
https://www.postgresql.org/message-id/20130115172253.GA6662@isc.upenn.edu
The key idea is you can now to a radix search of a secret rather than a
single 1-bit match/doesn't match oracle type attack which is not
feasible when you have an high entropy low density value like a big
ascii number or hex string.
I do something like set my preferred email (or anything an application
lets a user change) to something like a3bf and keep extending the guess
as I go and sometimes I compress along with the secret and rather than
have to guess a whole application session id all at once and have a work
factor of O(2^128) or something I've got a very tractable search.
It might not be something that a problem for everyone, but in some
situations it's attackable.
Garick
From | Date | Subject | |
---|---|---|---|
Next Message | Andres Freund | 2018-04-02 18:04:51 | Re: [HACKERS] logical decoding of two-phase transactions |
Previous Message | Peter Eisentraut | 2018-04-02 17:04:29 | Re: disable SSL compression? |