Re: SCRAM with channel binding downgrade attack
Michael Paquier <michael@paquier.xyz>
On Wed, May 23, 2018 at 08:59:43AM +0200, Magnus Hagander wrote: > On Wed, May 23, 2018 at 8:46 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> "tls-unique" and "tls-server-end-point" are overly technical to users. >> They don't care which one is used, there's no difference in security. >> Furthermore, if we add another channel binding type in the future, perhaps >> because someone finds a vulnerability in those types and a new one is added >> to address it, users would surely like to be automatically switched over to >> the new binding type. If they have "tls-unique" hardcoded in connection >> strings, that won't happen. >> >> So I think the options should be "prefer", "disable", and "require". >> That's also symmetrical with sslmode, which is nice. OK, being able to introduce a new default if necessary is a good point. Let's introduce a "require" mode then, which uses tls-unique underground, while "tls-unique" and "tls-server-end-point" are documented as developer-oriented. > As a general point, I still don't like being symmetrical with > sslmode=prefer, because that's a silly setting for sslmode :) It basically > says "I don't care about the security guarantees, I just want the overhead > please". Now, granted, the over head for SCRAM channel-binding is certainly > a lot less than it is for TLS. But if we just want to go with symmetry, it > would perhaps make more sense to implement the "allow" mode which makes > more sense on the TLS side as well. Something that you may be forgetting here is that we still want to be able to connect to a v10 backend with default options even with a post-v11 libpq. Or we will get complaints. >> It would be nice to have a libpq setting like >> "authenticate_server=require", which would mean "I want man-in-the-middle >> protection". > > That seems like a bad name for such a thing. Shouldn't it be > "authenticate_server=no_man_in_the_middle" (not those words but you get the > idea). Specifically, protecting against man in the middle attack does not > equal authenticating server -- you can still be connected to the wrong > server just with no second attacker between you and the first > attacker. Still that's not something we want for v11, right? >> With that, a connection would be allowed, if either the server's SSL >> certificate is verified as with "sslmode=verify-full", *or* SCRAM >> authentication with channel binding was used. Or perhaps cram it into >> sslmode, "sslmode=verify-full-or-scram-channel-binding", just with a >> nicer name. (We can do that after v11 though, I think.) > > sslmode=verify-full is very different from SCRAM with channel binding, > isn't it? As in, SCRAM with channel binding at no point proves which server > you're talking to -- only that you are talking to the SSL endpoint? It > could be a rogue SSL endpoint unless you do certificate validation. And the reverse is true as well, say the CA is compromised.. -- Michael
Commits
-
doc: update PG 11 release notes
- 6eb612fea9d0 12.0 cited
-
Fix misspelled pg_trgm contrib name in PostgreSQL 11 release notes
- 3abc5a67edfd 12.0 landed
-
Doc: clarify release note text about v11's new window function features.
- 510421c45fb4 11.0 landed
- 11a3aeeb5e17 12.0 landed
-
Improve wording of release notes item
- bee6a683a5c3 11.0 landed
-
Fix typos in release notes
- fb6accd27b99 11.0 landed
-
Doc: preliminary list of PG11 major features.
- 4aad161c9a6d 11.0 landed
-
Make numeric power() handle NaNs according to the modern POSIX spec.
- d1fc750b5199 11.0 landed
-
Various improvements of skipping index scan during vacuum technics
- 8e12f4a250d2 11.0 cited
-
Revert back-branch changes in power()'s behavior for NaN inputs.
- f74d83b3034f 10.4 cited
-
Avoid wrong results for power() with NaN input on more platforms.
- 6bdf1303b34b 11.0 cited
-
Avoid wrong results for power() with NaN input on some platforms.
- 61b200e2f582 11.0 cited
-
Skip full index scan during cleanup of B-tree indexes when possible
- 857f9c36cda5 11.0 cited
-
Rewrite the code that applies scan/join targets to paths.
- 11cf92f6e2e1 11.0 cited
-
Postpone generate_gather_paths for topmost scan/join rel.
- 3f90ec8597c3 11.0 cited
-
Add casts from jsonb
- c0cbe00fee6d 11.0 cited
-
Make plpgsql use its DTYPE_REC code paths for composite-type variables.
- 4b93f57999a2 11.0 cited
-
Don't allow VACUUM VERBOSE ANALYZE VERBOSE.
- 921059bd66c7 11.0 cited
-
Pass InitPlan values to workers via Gather (Merge).
- e89a71fb449a 11.0 cited
-
Account for the effect of lossy pages when costing bitmap scans.
- 5edc63bda68a 11.0 cited
-
Allow no-op GiST support functions to be omitted.
- d3a4f89d8a3e 11.0 cited
-
Rearm statement_timeout after each executed query.
- f8e5f156b30e 11.0 cited
-
Push limit through subqueries to underlying sort, where possible.
- 1f6d515a67ec 11.0 cited