| From: | Dan Kaminsky <dan(at)doxpara(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Date: | 2008-08-19 20:35:24 |
| Message-ID: | 48AB2E8C.8020602@doxpara.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
>> 1) No roots (but still works for some unknown reason)
>> 2) Explicitly configured corporate roots
>> 3) Explicitly configured corporate roots, AND global roots
>> 4) Global roots (but still works for some unknown reason)
>>
>> Keep in mind that at least Debian distributes a ca-certificates package,
>> and I can't imagine they're alone.
>>
>
> My guess is you'll find both options 1 and 2 fairly often, and 3 and 4
> very seldom.
> (Note that if you configure libpq for no roots, it will accept any
> certificate without verifying the chain)
>
So, if you do nothing special, it's #1? Sounds like the path of least
resistance is no security. Uh oh.
> That's one of the things, yeah, agreed. I meant the internals part only
> as an argument for why you'll see most pg deployments not using global
> certs.
>
> OTOH, if your firewall lets your clients (or even worse - your webserver
> or so) connect out to arbitrary machines on the PostgreSQL port, it can
> easily be argued that you have a lot of homework to do elsewhere as well
> ;-) But that's just a mitigating factor, and not a solution.
>
>
It's hard enough to manage inbound firewall rules. Outbound?
Fuggetaboutit :)
--Dan
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2008-08-20 11:39:28 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |
| Previous Message | Magnus Hagander | 2008-08-19 20:20:33 | Re: BUG #4340: SECURITY: Is SSL Doing Anything? |