Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6aA3-000Usl-HE for pgsql-hackers@arkaria.postgresql.org; Mon, 13 May 2024 18:12:32 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s6aA3-003mYM-84 for pgsql-hackers@arkaria.postgresql.org; Mon, 13 May 2024 18:12:31 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s6a7i-003iuz-Pl for pgsql-hackers@lists.postgresql.org; Mon, 13 May 2024 18:10:06 +0000 Received: from mail-qv1-xf2e.google.com ([2607:f8b0:4864:20::f2e]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s6a7e-0002MH-Qt for pgsql-hackers@lists.postgresql.org; Mon, 13 May 2024 18:10:05 +0000 Received: by mail-qv1-xf2e.google.com with SMTP id 6a1803df08f44-6969388c36fso18808726d6.1 for ; Mon, 13 May 2024 11:10:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1715623802; x=1716228602; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YG/vIEkwIoinpJn6fLo9PG0ZW2Nj9KxbqCf65UONpmo=; b=blowXpMGFa/+bGV/XM2zV6B168hoBtfNkOZWiPK7swQJhfNVqmhcZDuoSe1kadPzPj kU1fpw4rKwMFACyTiategSWAIAWzitdEHts7aJ9BIyQpB98ZqvcnDiigLhgGMxGT34JH yUO7kcIAoeDHAz4NgmgUiXIaxTfijQ1hLyYW8v5HcYmSP/Q5xZWv9RH+7ORqTyfGypvd RJveiQEJpQ08AoyRPV5jNNho6q1z1+Zz7P0hCKqTp/xG/qelJ9PfUFFowAYf5yVnxaOQ r93aZRl45yB47e+dw6v3tAPoh0rsOR3sMQHINDm6/3DzmHRmMGihu6vHs68iqCpol6pH mj5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715623802; x=1716228602; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YG/vIEkwIoinpJn6fLo9PG0ZW2Nj9KxbqCf65UONpmo=; b=Vv2dIwm62iP1LZPWdviFQYgElqDodipmE6LMGhDXTfFQfyMZxXreAYwOsCKFogZRfR LBeW0A/6NwgxBcymggswTe9GIN3APv3OT4uWH4gdYbn4RdAIXFUIiYYwaIVgw9hDwoHt nq46o6Kxx5GrEE5meZ4S+DzExcrHkh1N/S7NhhlT7WPfexp6KilbV1Phw4FjnGatfB+R 0K5L0LREdsLb9i6jWGmdQMPbYRaLaAddP9fP4vBs5wy2nrxykUhZhxTBX1DrJ07Xx74p NcdfDghwT2b77jG7xPev4qG1jG5/ZLTnOQhBNUVKjvlAWtbZaf1kv55YnS2rMe78OyNB espg== X-Forwarded-Encrypted: i=1; AJvYcCV8nGCEjDa7Si4y0VNhXMJAud0JSZowtNU6KBgjhVV7q206qqZUST00HvOftoFiJfiFpdC+DatG68pw1/bO7jYv4bjPe+AbpK/92wmEIhLt9gEm X-Gm-Message-State: AOJu0YxuS9wMQN6Sji0Gkoq2Fw4mEX7WpH/lAEGVMJ9pZzeaNlQ39z3G FhuKyjc/v0dwjw6Lf6lY9MKFPc8SDjwnw3IZe41n1h5+C1ShHjcvpmtENyKwuYvtHT2Ud01mMFu Pm1kop5c4fdSqhPnwrs7zwYnG7dRy1IrdZobr X-Google-Smtp-Source: AGHT+IH536P7ry43DkRDNfPPfSW7wfmngKcRQHpmXkaVz/ZmJVPIH7L0DY2gaJhoUr55pB6LxqnDU3kXiDJ/XnOmeQk= X-Received: by 2002:a05:6214:5349:b0:6a0:8c9f:a42f with SMTP id 6a1803df08f44-6a1681d8ddemr122816446d6.32.1715623801811; Mon, 13 May 2024 11:10:01 -0700 (PDT) MIME-Version: 1.0 References: <3a6f126c-e1aa-4dcc-9252-9868308f6cf0@iki.fi> <1a717f65-7390-4111-8efd-c6e9b213805e@iki.fi> In-Reply-To: From: Jacob Champion Date: Mon, 13 May 2024 11:09:50 -0700 Message-ID: Subject: On the use of channel binding without server certificates (was: Direct SSL connection with ALPN and HBA rules) To: Heikki Linnakangas Cc: Jelte Fennema-Nio , Daniel Gustafsson , Robert Haas , Michael Paquier , Postgres hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk [soapbox thread, so I've changed the Subject] On Mon, May 13, 2024 at 4:08=E2=80=AFAM Heikki Linnakangas wrote: > "channel_binding=3Drequire sslmode=3Drequire" also protects from MITM att= acks. This isn't true in the same way that "standard" TLS protects against MITM. I know you know that, but for the benefit of bystanders reading the threads, I think we should stop phrasing it like this. Most people who want MITM protection need to be using verify-full. Details for those bystanders: Channel binding alone will only disconnect you after the MITM is discovered, after your startup packet is leaked but before you send any queries to the server. A hash of your password will also be leaked in that situation, which starts the timer on an offline attack. And IIRC, you won't get an alert that says "someone's in the middle"; it'll just look like you mistyped your password. (Stronger passwords provide stronger protection in this situation, which is not a property that most people are used to. If I choose to sign into Google with the password "hunter2", it doesn't somehow make the TLS protection weaker. But if you rely on SCRAM by itself for server authentication, it does more or less work like that.) Use channel_binding *in addition to* sslmode=3Dverify-full if you want enhanced authentication of the peer, as suggested in the docs [1]. Don't rely on channel binding alone for the vast majority of use cases, and if you know better for your particular use case, then you already know enough to be able to ignore my advice. [/soapbox] Thanks, --Jacob [1] https://www.postgresql.org/docs/current/preventing-server-spoofing.html