| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | Michael Paquier <michael(at)paquier(dot)xyz>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: SCRAM with channel binding downgrade attack |
| Date: | 2018-05-25 14:44:16 |
| Message-ID: | CA+TgmoYLsOUyxjT90UstOLw1HEZb7rbvShdmNPP4+rDKT_CFQA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers pgsql-www |
On Wed, May 23, 2018 at 2:46 AM, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> "tls-unique" and "tls-server-end-point" are overly technical to users. They
> don't care which one is used, there's no difference in security.
> Furthermore, if we add another channel binding type in the future, perhaps
> because someone finds a vulnerability in those types and a new one is added
> to address it, users would surely like to be automatically switched over to
> the new binding type. If they have "tls-unique" hardcoded in connection
> strings, that won't happen.
+1.
> So I think the options should be "prefer", "disable", and "require". That's
> also symmetrical with sslmode, which is nice.
+1.
> We could provide "tls-unique" and "tls-server-end-point" in addition to
> those, but I'd consider those to be developer only settings, useful only for
> testing the protocol.
It seems to me that this is really another sort of thing altogether.
Whether or not you want to insist on channel binding is a completely
separate thing from which channel binding methods you're willing to
use. It seems to me like the most logical thing would be to make
these two separate connection options. If it's discovered that
tls-unique sucks bigtime for some reason, people are going to want to
turn it off whether they are preferring channel binding or requiring
it.
> It would be nice to have a libpq setting like "authenticate_server=require",
> which would mean "I want man-in-the-middle protection". With that, a
> connection would be allowed, if either the server's SSL certificate is
> verified as with "sslmode=verify-full", *or* SCRAM authentication with
> channel binding was used. Or perhaps cram it into sslmode,
> "sslmode=verify-full-or-scram-channel-binding", just with a nicer name. (We
> can do that after v11 though, I think.)
IMHO we could do all of this after v11. This seems like late
development being jammed through after beta1 to me. But I just work
here.
Semantically, I see the value of an option that means basically
mitm_protection=true, but in practice I'm not sure there is any real
advantage over having the user just specify either ssmode=verify-full
or channelbinding=require depending on the technology they wish to
use. They probably have a specific technology in mind; it's hard to
see how they're going to get an environment configured otherwise.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2018-05-25 14:49:25 | Re: Performance regression with PostgreSQL 11 and partitioning |
| Previous Message | Tom Lane | 2018-05-25 14:41:55 | Re: Unexpected casts while using date_trunc() |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Heikki Linnakangas | 2018-05-25 15:24:07 | Re: SCRAM with channel binding downgrade attack |
| Previous Message | Tatsuo Ishii | 2018-05-25 02:09:20 | Re: Add PostgreSQL 11 to feature matrix page? |