| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
| Cc: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Michael Paquier <michael(at)paquier(dot)xyz>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: SCRAM with channel binding downgrade attack |
| Date: | 2018-10-08 15:23:48 |
| Message-ID: | 20181008152348.GB16494@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-www |
On Mon, Oct 8, 2018 at 12:42:39PM +0200, Peter Eisentraut wrote:
> On 05/10/2018 19:01, Bruce Momjian wrote:
> > On Fri, Oct 5, 2018 at 04:53:34PM +0200, Peter Eisentraut wrote:
> >> On 23/05/2018 08:46, Heikki Linnakangas wrote:
> >>> "tls-unique" and "tls-server-end-point" are overly technical to users.
> >>> They don't care which one is used, there's no difference in security.
> >>
> >> A question was raised about this in a recent user group meeting.
> >>
> >> When someone steals the server certificate from the real database server
> >> and sets up a MITM with that certificate, this would pass
> >> tls-server-end-point channel binding, because both the MITM and the real
> >> server have the same certificate. But with tls-unique they would have
> >> different channel binding data, so the channel binding would detect this.
> >>
> >> Is that not correct?
> >
> > Not correct. First, they need to steal the server certificate and
> > _private_ key that goes with the certificate to impersonate the owner of
> > the certificate.
>
> Right, I meant to imply that.
Right --- that is often confused so I wanted to clarify.
> > If that happens, with tls-server-end-point, a MITM
> > could replay what the real server sends to the MITM. You are right that
> > tls-unique makes it harder for a MITM to reproduce the TLS shared key
> > which is mixed with the password hash to prove the server knows the
> > password hash.
>
> So you appear to be saying the above *is* correct?
Yep, I am afraid so. tls-unique seems technically superior, but I guess
not operationally superior, e.g., Java can't access the TLS shared
secret. Supporting both causes the kind of channel binding mode
confusion that we have been dealing with, and the new security trend is
not to support too many options because their interaction is often
surprising, and insecure.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2018-10-08 15:24:25 | Re: out-of-order XID insertion in KnownAssignedXids |
| Previous Message | Pavel Stehule | 2018-10-08 15:22:55 | Re: Refactor textToQualifiedNameList() |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrien NAYRAT | 2018-10-08 15:44:32 | Re: Postgres 11 release notes |
| Previous Message | Bruce Momjian | 2018-10-08 15:20:03 | Re: Postgres 11 release notes |