| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> |
| Cc: | Andrew Dunstan <andrew(at)dunslane(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Stats Collector Error 7.4beta1 and 7.4beta2 |
| Date: | 2003-09-10 16:49:31 |
| Message-ID: | 8018.1063212571@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera <alvherre(at)dcc(dot)uchile(dot)cl> writes:
> On Wed, Sep 10, 2003 at 07:27:02AM -0400, Andrew Dunstan wrote:
>> If someone can spoof the packet address isn't there also a possibility
>> that they can read your packets and see your random signature?
> Spoofing the packet source address is not quite the same as sniffing a
> connection, which should be encrypted if you do not trust your
> environment AFAIU.
Remember this is a local-loopback connection; the packets will never
leave your own kernel. If the attacker can sniff the packets then he is
already into your kernel, in which case game over. But depending on how
careful your kernel is, it's possible that an attacker who doesn't yet
own your machine could inject forged packets with a local source
address. So I think that indeed there are scenarios where a
random-signature check would be more secure than a source-address check.
The question is whether any of this is worth worrying about in PG.
ISTM the correct solution to such a risk is to tighten your kernel's
packet filtering, not harden one piece of one application.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Relaxin | 2003-09-10 16:50:16 | Re: Vote: Adding flex/bison derived files in WIN32_DEV |
| Previous Message | Marc G. Fournier | 2003-09-10 16:35:04 | Re: Vote: Adding flex/bison derived files in WIN32_DEV |