Re: Docs: Encourage strong server verification with SCRAM

On 5/25/23 1:29 PM, Stephen Frost wrote:
> Greetings,
>
> * Jacob Champion (jchampion(at)timescale(dot)com) wrote:
>> On 5/24/23 05:04, Daniel Gustafsson wrote:
>>>> On 23 May 2023, at 23:02, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>>>> Perhaps more succinctly- maybe we should be making adjustments to the
>>>> current language instead of just adding a new paragraph.
>>>
>>> +1
>>
>> I'm 100% on board for doing that as well, but the "instead of"
>> suggestion makes me think I didn't explain my goal very well. For
>> example, Stephen, you said
>>
>>> I have to admit that the patch as presented strikes me as a warning
>>> without really providing steps for how to address the issues mentioned
>>> though; there's a reference to what was just covered at the bottom but
>>> nothing really new.
>>
>> but the last sentence of my patch *is* the suggested step:
>>
>>> + ... It's recommended to employ strong server
>>> + authentication, using one of the above anti-spoofing measures, to prevent
>>> + these attacks.
>
> I was referring specifically to that ordering as not being ideal or in
> line with the rest of the flow of that section. We should integrate the
> concerns higher in the section where we outline the reason these things
> matter and then follow those with the specific steps for how to address
> them, not give a somewhat unclear reference from the very bottom back up
> to something above.

Caught up on this exchange. Some of my comments may be out-of-order.

Overall, +1 to tightening the language around the docs in this area.

However, to paraphrase Stephen, I think the language, as currently
written, makes the problem sound scarier than it actually is, and I
agree that we should just inline it above. There may also be some
follow-up development work we can do to mitigate the issues.

I think it's fine for us to recommend using channel binding, but if
we're concerned about server spoofing / rogue servers, we should also
recommend using sslmode=verify-full to ensure server-identity. That
doesn't necessarily help in the case the server itself has gone rogue,
but that mitigates the MITM risk. The SCRAM RFC is also very clear that
you should be using TLS[1].

I really don't think the "startup packet" is an actual issue, but I
think recommending good TLS / channel binding mitigates this.

For the iteration count, I'm generally ambivalent here. I think again,
if you're using good TLS, this is most likely mitigated. If you're
connecting to a rogue server using good TLS, you likely have other
issues to deal with. However, there may be a libpq feature here that
lets a client specify a minimum iteration count it will accept for
purposes of SCRAM.

Thanks,

Jonathan

[1] https://www.rfc-editor.org/rfc/rfc5802#section-9