From: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
---|---|
To: | Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Michael Paquier <michael(at)paquier(dot)xyz> |
Cc: | Postgres hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Bruce Momjian <bruce(at)momjian(dot)us> |
Subject: | Re: SCRAM with channel binding downgrade attack |
Date: | 2018-06-06 20:31:36 |
Message-ID: | e418275f-586f-80a8-757a-5ab1792251fb@2ndquadrant.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers pgsql-www |
On 6/6/18 16:26, Heikki Linnakangas wrote:
> On 06/06/18 23:20, Peter Eisentraut wrote:
>> Aren't we attacking this on the wrong level? We are here attempting to
>> prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not
>> preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade.
>
> The latest patch does prevent that, too. That was my complaint at
> https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi,
> but it's been fixed now. (Or if you see a case where it still isn't,
> that's a bug.)
OK, that would do, but we don't do anything about a SCRAM-SHA-256 ->
anything-else downgrade. Instead of tying this to the channel binding,
should we tie it to the authentication type?
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Tomas Vondra | 2018-06-06 20:42:54 | Re: POC: GROUP BY optimization |
Previous Message | Heikki Linnakangas | 2018-06-06 20:26:00 | Re: SCRAM with channel binding downgrade attack |
From | Date | Subject | |
---|---|---|---|
Next Message | Heikki Linnakangas | 2018-06-06 20:46:11 | Re: SCRAM with channel binding downgrade attack |
Previous Message | Heikki Linnakangas | 2018-06-06 20:26:00 | Re: SCRAM with channel binding downgrade attack |