| From: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
|---|---|
| To: | Jacob Champion <jchampion(at)timescale(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Daniel Gustafsson <daniel(at)yesql(dot)se>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Michael Paquier <michael(at)paquier(dot)xyz> |
| Subject: | Re: Docs: Encourage strong server verification with SCRAM |
| Date: | 2023-05-28 18:21:53 |
| Message-ID: | 4ef7e9fc-126a-3be9-3165-6fdb4153381a@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 5/26/23 6:47 PM, Jacob Champion wrote:
> On Thu, May 25, 2023 at 6:10 PM Jonathan S. Katz <jkatz(at)postgresql(dot)org> wrote:
>> + To prevent server spoofing from occurring when using
>> + <link linkend="auth-password">scram-sha-256</link> password authentication
>> + over a network, you should ensure you are connecting using SSL.
>
> seems to backtrack on the recommendation -- you have to use
> sslmode=verify-full, not just SSL, to avoid handing a weak(er) hash to
> an untrusted party.
The above assumes that the reader reviewed the previous paragraph and
followed the guidelines there. However, we can make it explicit. Please
see attached.
Thanks,
Jonathan
| Attachment | Content-Type | Size |
|---|---|---|
| v4-docs-encourage-strong-server-verification-with-SCRAM.patch | text/plain | 1.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Rowley | 2023-05-28 21:42:05 | Re: benchmark results comparing versions 15.2 and 16 |
| Previous Message | Peter Geoghegan | 2023-05-28 16:34:23 | Re: abi-compliance-checker |