| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi> |
| Cc: | "* Neustradamus *" <neustradamus(at)hotmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: RFC 9266: Channel Bindings for TLS 1.3 support |
| Date: | 2025-11-21 16:18:41 |
| Message-ID: | CAOYmi+ku23HywDuYpQC7zcwGLFoiqm9-HpdpVErrUrpWQ3ZFug@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Nov 21, 2025 at 12:46 AM Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
> If I understood the incident correctly, the attacker managed to somehow
> obtain a valid TLS certificate for the victim domain. They used that to
> perform a MITM attack. They did not have the server's private key. (Or
> if they did, they did not use that for the attack).
Oh! Thank you for pointing that out. Yeah, having the private key for
*a* host certificate shouldn't help you if it doesn't have the same
public fingerprint as the one in use at the peer. (I'm not sure I
really internalized that distinction before.)
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | 河田達也 | 2025-11-21 16:25:58 | Re: [PATCH] Add memory usage reporting to VACUUM VERBOSE |
| Previous Message | Tom Lane | 2025-11-21 16:16:21 | Re: change default default_toast_compression to lz4? |