Re: SCRAM with channel binding downgrade attack
Magnus Hagander <magnus@hagander.net>
On Wed, May 23, 2018 at 10:56 AM, Michael Paquier <michael@paquier.xyz> wrote: > On Wed, May 23, 2018 at 08:59:43AM +0200, Magnus Hagander wrote: > > On Wed, May 23, 2018 at 8:46 AM, Heikki Linnakangas <hlinnaka@iki.fi> > wrote: > >> "tls-unique" and "tls-server-end-point" are overly technical to users. > >> They don't care which one is used, there's no difference in security. > >> Furthermore, if we add another channel binding type in the future, > perhaps > >> because someone finds a vulnerability in those types and a new one is > added > >> to address it, users would surely like to be automatically switched > over to > >> the new binding type. If they have "tls-unique" hardcoded in connection > >> strings, that won't happen. > >> > >> So I think the options should be "prefer", "disable", and "require". > >> That's also symmetrical with sslmode, which is nice. > > OK, being able to introduce a new default if necessary is a good point. > Let's introduce a "require" mode then, which uses tls-unique > underground, while "tls-unique" and "tls-server-end-point" are > documented as developer-oriented. > > As a general point, I still don't like being symmetrical with > > sslmode=prefer, because that's a silly setting for sslmode :) It > basically > > says "I don't care about the security guarantees, I just want the > overhead > > please". Now, granted, the over head for SCRAM channel-binding is > certainly > > a lot less than it is for TLS. But if we just want to go with symmetry, > it > > would perhaps make more sense to implement the "allow" mode which makes > > more sense on the TLS side as well. > > Something that you may be forgetting here is that we still want to be > able to connect to a v10 backend with default options even with a > post-v11 libpq. Or we will get complaints. > Right. Having a mode called "allow" and having that be default would work fine in this case, wouldn't it? (That is, my suggestion is to implement "allow", "disable" and "require", and to make "allow" the default) >> It would be nice to have a libpq setting like > >> "authenticate_server=require", which would mean "I want > man-in-the-middle > >> protection". > > > > That seems like a bad name for such a thing. Shouldn't it be > > "authenticate_server=no_man_in_the_middle" (not those words but you get > the > > idea). Specifically, protecting against man in the middle attack does not > > equal authenticating server -- you can still be connected to the wrong > > server just with no second attacker between you and the first > > attacker. > > Still that's not something we want for v11, right? > Agreed. >> With that, a connection would be allowed, if either the server's SSL > >> certificate is verified as with "sslmode=verify-full", *or* SCRAM > >> authentication with channel binding was used. Or perhaps cram it into > >> sslmode, "sslmode=verify-full-or-scram-channel-binding", just with a > >> nicer name. (We can do that after v11 though, I think.) > > > > sslmode=verify-full is very different from SCRAM with channel binding, > > isn't it? As in, SCRAM with channel binding at no point proves which > server > > you're talking to -- only that you are talking to the SSL endpoint? It > > could be a rogue SSL endpoint unless you do certificate validation. > > And the reverse is true as well, say the CA is compromised.. > Well, sure. But scram channel binding doesn't protect you there, so you're screwed either way if that happens. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
Commits
-
doc: update PG 11 release notes
- 6eb612fea9d0 12.0 cited
-
Fix misspelled pg_trgm contrib name in PostgreSQL 11 release notes
- 3abc5a67edfd 12.0 landed
-
Doc: clarify release note text about v11's new window function features.
- 510421c45fb4 11.0 landed
- 11a3aeeb5e17 12.0 landed
-
Improve wording of release notes item
- bee6a683a5c3 11.0 landed
-
Fix typos in release notes
- fb6accd27b99 11.0 landed
-
Doc: preliminary list of PG11 major features.
- 4aad161c9a6d 11.0 landed
-
Make numeric power() handle NaNs according to the modern POSIX spec.
- d1fc750b5199 11.0 landed
-
Various improvements of skipping index scan during vacuum technics
- 8e12f4a250d2 11.0 cited
-
Revert back-branch changes in power()'s behavior for NaN inputs.
- f74d83b3034f 10.4 cited
-
Avoid wrong results for power() with NaN input on more platforms.
- 6bdf1303b34b 11.0 cited
-
Avoid wrong results for power() with NaN input on some platforms.
- 61b200e2f582 11.0 cited
-
Skip full index scan during cleanup of B-tree indexes when possible
- 857f9c36cda5 11.0 cited
-
Rewrite the code that applies scan/join targets to paths.
- 11cf92f6e2e1 11.0 cited
-
Postpone generate_gather_paths for topmost scan/join rel.
- 3f90ec8597c3 11.0 cited
-
Add casts from jsonb
- c0cbe00fee6d 11.0 cited
-
Make plpgsql use its DTYPE_REC code paths for composite-type variables.
- 4b93f57999a2 11.0 cited
-
Don't allow VACUUM VERBOSE ANALYZE VERBOSE.
- 921059bd66c7 11.0 cited
-
Pass InitPlan values to workers via Gather (Merge).
- e89a71fb449a 11.0 cited
-
Account for the effect of lossy pages when costing bitmap scans.
- 5edc63bda68a 11.0 cited
-
Allow no-op GiST support functions to be omitted.
- d3a4f89d8a3e 11.0 cited
-
Rearm statement_timeout after each executed query.
- f8e5f156b30e 11.0 cited
-
Push limit through subqueries to underlying sort, where possible.
- 1f6d515a67ec 11.0 cited