On the use of channel binding without server certificates (was: Direct SSL connection with ALPN and HBA rules)
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Jelte Fennema-Nio <postgres@jeltef.nl>,
Daniel Gustafsson <daniel@yesql.se>, Robert Haas <robertmhaas@gmail.com>, Michael Paquier <michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-05-13T18:09:50Z
Lists: pgsql-hackers
[soapbox thread, so I've changed the Subject] On Mon, May 13, 2024 at 4:08 AM Heikki Linnakangas <hlinnaka@iki.fi> wrote: > "channel_binding=require sslmode=require" also protects from MITM attacks. This isn't true in the same way that "standard" TLS protects against MITM. I know you know that, but for the benefit of bystanders reading the threads, I think we should stop phrasing it like this. Most people who want MITM protection need to be using verify-full. Details for those bystanders: Channel binding alone will only disconnect you after the MITM is discovered, after your startup packet is leaked but before you send any queries to the server. A hash of your password will also be leaked in that situation, which starts the timer on an offline attack. And IIRC, you won't get an alert that says "someone's in the middle"; it'll just look like you mistyped your password. (Stronger passwords provide stronger protection in this situation, which is not a property that most people are used to. If I choose to sign into Google with the password "hunter2", it doesn't somehow make the TLS protection weaker. But if you rely on SCRAM by itself for server authentication, it does more or less work like that.) Use channel_binding *in addition to* sslmode=verify-full if you want enhanced authentication of the peer, as suggested in the docs [1]. Don't rely on channel binding alone for the vast majority of use cases, and if you know better for your particular use case, then you already know enough to be able to ignore my advice. [/soapbox] Thanks, --Jacob [1] https://www.postgresql.org/docs/current/preventing-server-spoofing.html
Commits
-
Remove option to fall back from direct to postgres SSL negotiation
- fb5718f35ff6 17.0 landed
-
Reject SSL connection if ALPN is used but there's no common protocol
- 17a834a04d5a 17.0 landed
-
libpq: Enforce ALPN in direct SSL connections
- 03a0e0d4bb78 17.0 landed
-
libpq: If ALPN is not used, make PQsslAttribute(conn, "alpn") == ""
- 3c184092651b 17.0 landed
-
Fix documentation and comments on what happens after GSS rejection
- 5c9f35fc48ea 17.0 landed
-
doc: Add note to prevent server spoofing with SCRAM
- d0f4824a5410 16.0 cited