Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q2E0m-0001AQ-Ab for pgsql-hackers@arkaria.postgresql.org; Thu, 25 May 2023 16:40:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1q2E0l-0001HD-4i for pgsql-hackers@arkaria.postgresql.org; Thu, 25 May 2023 16:40:23 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1q2E0k-0001Gw-Qf for pgsql-hackers@lists.postgresql.org; Thu, 25 May 2023 16:40:22 +0000 Received: from mail-pl1-x629.google.com ([2607:f8b0:4864:20::629]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1q2E0g-001qfd-I0 for pgsql-hackers@lists.postgresql.org; Thu, 25 May 2023 16:40:21 +0000 Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1afa6afcf4fso15346305ad.0 for ; Thu, 25 May 2023 09:40:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=timescale.com; s=google; t=1685032817; x=1687624817; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=+nE0ghHM1W5DKTWiJYHCOy1KI2NZZwsRefO2LDC4CJA=; b=HPm0/Ct8OxpMDX/IL02HFmxhwl4LvspXEUR4Y7bjEhif6BLPBrK4W/8e0i+YFqnLVT okEXVBVhcjRLN7GAEFyjN4cIlctnGV3ubP/ZnXWf7MK4KuMjSA0iohH5y9w8l4BedJbG 7cX+k5lGEQ2eSGFZOAvbGNGhQQ23KCOJF/uUwbRbAT8YWUElagKAwpyOaLN3vMji2Yzx jN9rcmE66O+rJtVMXUrdG+a7Dqlptn2OvNeuL7u1wB/eeXoAhW+okzj2IgIkub016xk9 omINbyAtHqf2iUjDHULIJkHjDgM9XYvgpE7oH0pJTm072IWOVG7BwIdRQZM5zo7izSN0 aHjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685032817; x=1687624817; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=+nE0ghHM1W5DKTWiJYHCOy1KI2NZZwsRefO2LDC4CJA=; b=RT+0z6cgh5WgH3yQn1exMMpEkBac46DRbSSNhy+vPt9C+A8H8SNHYyHSfVIGNfpmLu OpOJ8BQLGJ3vfMLFa/v3UeThkVXhAdggSgFxCEcoVTbL3N6/ayF8SWlf4e0yXozjp1Wk qgoz+EJ6IjYUuxal/u2wNG5GEBMubVlGSM6sXteOi0vkUp2aRWhFy3qf7JbqZw4TWfjz y7JYwP3uV/sY+/SXODxVxd+eUNSxyTSZFEW64g/6xHQMG33So4BLmZtHdEjczcoAPCs+ 9dNqqdDLDYCGnT5MgvUs7Tp0KguH2eQZAsH8B145ei4SzXXlciypqbaJ4MCrr55Dovcc hfpw== X-Gm-Message-State: AC+VfDweHjd+7AaScOyC/9bFrt2pZkQC7sXBlXCoCKbw/EM/OiDHFTyO JoMypHcxq24NfvJ2CXUScC6f7A== X-Google-Smtp-Source: ACHHUZ4cqOFE3qGZRaj41cILRSMx+TCN4YESfw7hxLBEeqn+VrchU/euvOEhlwH8kewtAMvFoB1+/w== X-Received: by 2002:a17:902:ac86:b0:1a6:d15f:3ce1 with SMTP id h6-20020a170902ac8600b001a6d15f3ce1mr2266901plr.34.1685032817616; Thu, 25 May 2023 09:40:17 -0700 (PDT) Received: from [192.168.1.21] ([50.53.8.205]) by smtp.gmail.com with ESMTPSA id q18-20020a17090311d200b001b008b3dee2sm342plh.287.2023.05.25.09.40.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 May 2023 09:40:17 -0700 (PDT) Message-ID: <2cdec255-6514-705b-0a4e-0cfb06dbddd7@timescale.com> Date: Thu, 25 May 2023 09:40:16 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 Subject: Re: Docs: Encourage strong server verification with SCRAM Content-Language: en-US To: Daniel Gustafsson , Stephen Frost Cc: PostgreSQL Hackers , "Jonathan S. Katz" , Michael Paquier References: <69EC75B8-3A75-43D9-9A2A-61BF6571247B@yesql.se> From: Jacob Champion In-Reply-To: <69EC75B8-3A75-43D9-9A2A-61BF6571247B@yesql.se> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 5/24/23 05:04, Daniel Gustafsson wrote: >> On 23 May 2023, at 23:02, Stephen Frost wrote: >> * Jacob Champion (jchampion@timescale.com) wrote: > >>> - low iteration counts accepted by the client make it easier than it >>> probably should be for a MITM to brute-force passwords (note that >>> PG16's scram_iterations GUC, being server-side, does not mitigate >>> this) >> >> This would be good to improve on. > > The mechanics of this are quite straighforward, the problem IMHO lies in how to > inform and educate users what a reasonable iteration count is, not to mention > what an iteration count is in the first place. Yeah, the education around this is tricky. >> Perhaps more succinctly- maybe we should be making adjustments to the >> current language instead of just adding a new paragraph. > > +1 I'm 100% on board for doing that as well, but the "instead of" suggestion makes me think I didn't explain my goal very well. For example, Stephen, you said > I have to admit that the patch as presented strikes me as a warning > without really providing steps for how to address the issues mentioned > though; there's a reference to what was just covered at the bottom but > nothing really new. but the last sentence of my patch *is* the suggested step: > + ... It's recommended to employ strong server > + authentication, using one of the above anti-spoofing measures, to prevent > + these attacks. In other words: if you're thinking about authenticating the server via SCRAM, over an otherwise anonymous key exchange, you should probably reconsider. The current architecture of libpq doesn't really seem to be set up for this, and my conversations with security@ have been focusing around the argument that people who want strong guarantees should be authenticating the server using a TLS certificate before doing anything else, so we don't need to consider our departures from the spec to be vulnerabilities. I think that's a reasonable stance to take, as long as we're also explicitly warning people away from the mutual-auth use case. To change this, aspects of the code that we don't currently consider security problems would probably need to be reclassified. If we're depending on SCRAM for server authentication, we can't trust a single byte that the server sends to us until after the SCRAM verifier comes back and checks out. Compared to all the other authentication types, that's unusual; I don't think it's really been a focus for the project before. --Jacob