| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Michael Paquier <michael(at)paquier(dot)xyz> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: SCRAM with channel binding downgrade attack |
| Date: | 2018-06-23 14:07:01 |
| Message-ID: | 20180623140701.GD21575@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-www |
On Sat, Jun 23, 2018 at 10:30:19PM +0900, Michael Paquier wrote:
> On Fri, Jun 22, 2018 at 11:01:53PM -0400, Bruce Momjian wrote:
> > Uh, as I am understanding it, if we don't allow clients to force channel
> > binding, then channel binding is useless because it cannot prevent
> > man-in-the-middle attacks. I am sure some users will try to use it, and
> > not understand that it serves no purpose. If we then allow clients to
> > force channel binding in PG 12, they will then need to fix their
> > clients.
> >
> > I suggest that if we don't allow users to use channel binding
> > effectively that we should remove all documentation about this
> > feature.
>
> Well, I don't agree with this position as the protocol put in place for
> SCRAM with or without channel binding perfectly allows a client to
> enforce the use channel binding. While that's missing for libpq, other
> clients like JDBC or npgsql could perfectly implement that before this
> gets in Postgres core in the shape they want. So I think that the docs
> should be kept.
Yes, the code is useful, but the _feature_ is not useful until some
interface allows the forcing of channel binding. People are worried
about users having to change their API in PG 12, but the point is that
to use this feature people will have to change their API in PG 12
anyway, and it doesn't do anything useful without an interface we don't
ship, and hasn't been written, so why confuse people that it is a
feature in PG 11?
Channel binding is listed as a _major_ feature in PG 11 in the release
notes, and you can bet people are going to look at how to use it:
Channel binding for SCRAM authentication, to prevent potential
man-in-the-middle attacks on database connections
It should perhaps be marked in the source code section, and listed as
not useful by PG 11's libpq or any of the interfaces built on it. We
are also going to need to communicate to people who have already looked
at the release notes that this features is not useful in PG 11 using
libpq.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-06-23 14:30:40 | Re: Adding Markodwn formatting to psql output |
| Previous Message | Michael Paquier | 2018-06-23 13:30:19 | Re: SCRAM with channel binding downgrade attack |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guido Brugnara | 2018-06-26 12:35:12 | Wiki editor request |
| Previous Message | Michael Paquier | 2018-06-23 13:30:19 | Re: SCRAM with channel binding downgrade attack |