public inbox for [email protected]
help / color / mirror / Atom feedFrom: Jonathan S. Katz <[email protected]>
To: Stephen Frost <[email protected]>
To: Jacob Champion <[email protected]>
Cc: Daniel Gustafsson <[email protected]>
Cc: PostgreSQL Hackers <[email protected]>
Cc: Michael Paquier <[email protected]>
Subject: Re: Docs: Encourage strong server verification with SCRAM
Date: Thu, 25 May 2023 13:48:28 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <CAAWbhmg5Gh0JetNbQi7z0yOsdsN9YECv8GoY-QBGBBiip9+JOw@mail.gmail.com>
<ZG0p+sk/[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On 5/25/23 1:29 PM, Stephen Frost wrote:
> Greetings,
>
> * Jacob Champion ([email protected]) wrote:
>> On 5/24/23 05:04, Daniel Gustafsson wrote:
>>>> On 23 May 2023, at 23:02, Stephen Frost <[email protected]> wrote:
>>>> Perhaps more succinctly- maybe we should be making adjustments to the
>>>> current language instead of just adding a new paragraph.
>>>
>>> +1
>>
>> I'm 100% on board for doing that as well, but the "instead of"
>> suggestion makes me think I didn't explain my goal very well. For
>> example, Stephen, you said
>>
>>> I have to admit that the patch as presented strikes me as a warning
>>> without really providing steps for how to address the issues mentioned
>>> though; there's a reference to what was just covered at the bottom but
>>> nothing really new.
>>
>> but the last sentence of my patch *is* the suggested step:
>>
>>> + ... It's recommended to employ strong server
>>> + authentication, using one of the above anti-spoofing measures, to prevent
>>> + these attacks.
>
> I was referring specifically to that ordering as not being ideal or in
> line with the rest of the flow of that section. We should integrate the
> concerns higher in the section where we outline the reason these things
> matter and then follow those with the specific steps for how to address
> them, not give a somewhat unclear reference from the very bottom back up
> to something above.
Caught up on this exchange. Some of my comments may be out-of-order.
Overall, +1 to tightening the language around the docs in this area.
However, to paraphrase Stephen, I think the language, as currently
written, makes the problem sound scarier than it actually is, and I
agree that we should just inline it above. There may also be some
follow-up development work we can do to mitigate the issues.
I think it's fine for us to recommend using channel binding, but if
we're concerned about server spoofing / rogue servers, we should also
recommend using sslmode=verify-full to ensure server-identity. That
doesn't necessarily help in the case the server itself has gone rogue,
but that mitigates the MITM risk. The SCRAM RFC is also very clear that
you should be using TLS[1].
I really don't think the "startup packet" is an actual issue, but I
think recommending good TLS / channel binding mitigates this.
For the iteration count, I'm generally ambivalent here. I think again,
if you're using good TLS, this is most likely mitigated. If you're
connecting to a rogue server using good TLS, you likely have other
issues to deal with. However, there may be a libpq feature here that
lets a client specify a minimum iteration count it will accept for
purposes of SCRAM.
Thanks,
Jonathan
[1] https://www.rfc-editor.org/rfc/rfc5802#section-9
Attachments:
[application/pgp-signature] OpenPGP_signature (840B, ../[email protected]/2-OpenPGP_signature)
download
view thread (3+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: Docs: Encourage strong server verification with SCRAM
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox