Re: SCRAM with channel binding downgrade attack

On 23/05/18 09:59, Magnus Hagander wrote:
>> With that, a connection would be allowed, if either the server's SSL
>> certificate is verified as with "sslmode=verify-full", *or* SCRAM
>> authentication with channel binding was used. Or perhaps cram it into
>> sslmode, "sslmode=verify-full-or-scram-channel-binding", just with a
>> nicer name. (We can do that after v11 though, I think.)
>
> sslmode=verify-full is very different from SCRAM with channel binding,
> isn't it? As in, SCRAM with channel binding at no point proves which server
> you're talking to -- only that you are talking to the SSL endpoint? It
> could be a rogue SSL endpoint unless you do certificate validation.

SCRAM, even without channel binding, does prove that you're talking to
the correct server. Or to be precise, it proves to the client, that the
server also knows the password, so assuming that you're using strong
passwords and not sharing them across servers, you know that you're
talking to the correct server.

Channel binding adds the guarantee that the SSL endpoint belongs to the
same server you're authenticating with, i.e. there is no man in the middle.

- Heikki