Re: cryptography, was Drawbacks of using BYTEA for PK?

Keith C. Perry <netadmin@vcsn.com>

From: "Keith C. Perry" <netadmin@vcsn.com>
To: Chris Travers <chris@travelamericas.com>
Cc: Greg Stark <gsstark@mit.edu>, pgsql-general@postgresql.org
Date: 2004-01-13T16:04:27Z
Lists: pgsql-general
Quoting Chris Travers <chris@travelamericas.com>:

> From: "Keith C. Perry" <netadmin@vcsn.com>
> > Using an MD5 hash to
> > "hide" them will slow your app down by some delta and not protect your
> > connection.  Granted garbling that id with a password is somewhat more
> secure
> > but your connection could still be attacked or even hijacked.
> >
> > In the URL's you gave above, why are you not using HTTPS (i.e.
> authentication)?
> >  What about using a crytographic cookies to identify your session and link
> that
> > to you userid (after authorization)?
> 
> Https I can see.  I am having difficulty understanding how you could use
> cryptographic cookies to prevent session hijacking though given the current
> setup.

Cryptographic cookies are actually how TCP SYN flood protection is done on Linux
and I think Solaris so in my case the OS is handling that.  What is implemented
there could be implemented at the application layer but I don't think that
becomes valid once you are using HTTPS since is provide similar facilities.

In my applications, I simply have Apache push a cookie to the browser (during
authorization) which is then used as the session key.  Additionally, I almost
always use POST methods instead of GET (I hate exposing application logic that
way).  Ever time a user does something, the presence of that cookie is checked
in the database.

> Also you could use ssl between the web server and PostgreSQL to
> secure that connection.

True but that is only half the story.  You're client interface is what is
public.  I would SSL the web <--> db connection as a standard but I would be
less concerned about (what I'm assumming is) a local connection behind the DMZ.

> As a side question:  Does PostgreSQL support using Kerberos for encrypted
> connections (beyond authentication), or do you need to use SSL for that?
> 
> Best Wishes,
> Chris Travers
> 

Not sure about that one but if so, I'm sure someone will speak up  :)

-- 
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com
 
____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com