| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Negotiating the SCRAM channel binding type |
| Date: | 2018-08-07 21:13:50 |
| Message-ID: | 20180807211350.GJ7297@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 7, 2018 at 11:08:12PM +0300, Heikki Linnakangas wrote:
> >I know this is an academic question now, but I am not sure this is true.
> >A man-in-the-middle attacker could say they don't support channel
> >binding to the real client and real server and pretend to be the real
> >server. What would work is to hash the secret in with the supported
> >channel binding list. This is how TLS works --- all previous messages
> >are combined with the secret into a transmitted hash to prevent a MITM
> >from changing it.
>
> Yeah, that is what I meant. Currently, when client chooses to not use
> channel binding, it the sends a single flag, y/n, to indicate whether it
> thinks the server supports channel binding or not. That flag is included in
> the hashes used in the authentication, so if a MITM tries to change it, the
> authentication will fail. If instead of a single flag, it included a list of
> channel binding types supported by the server, that would solve the problem
> with supporting multiple channel binding types.
Yes, agreed.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2018-08-07 21:19:13 | Re: Make foo=null a warning by default. |
| Previous Message | Michael Paquier | 2018-08-07 21:06:22 | Re: Page freezing, FSM, and WAL replay |