public inbox for [email protected]
help / color / mirror / Atom feedFrom: Stephen Frost <[email protected]>
To: Robert Haas <[email protected]>
Cc: Bruce Momjian <[email protected]>
Cc: Michael Paquier <[email protected]>
Cc: PostgreSQL mailing lists <[email protected]>
Subject: Re: [HACKERS] Changing references of password encryption to hashing
Date: Tue, 28 Nov 2023 10:16:41 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <CA+Tgmoa44Q+rajT2FC2S7R3-hfh0xXTEa+qLzdYD0Gh9DPoX3Q@mail.gmail.com>
References: <CAB7nPqR82_57C8O1+z-bUChhHpdjMec_omLfKwYdjAFjjcrBWg@mail.gmail.com>
<[email protected]>
<ZWX/[email protected]>
<CA+Tgmoa44Q+rajT2FC2S7R3-hfh0xXTEa+qLzdYD0Gh9DPoX3Q@mail.gmail.com>
Greetings,
* Robert Haas ([email protected]) wrote:
> On Tue, Nov 28, 2023 at 9:55 AM Stephen Frost <[email protected]> wrote:
> > I do think we should use the correct terminology in our documentation
> > and would support your working on improving things in this area.
>
> +1.
>
> > I do wonder if perhaps we would be better off by having someone spend
> > time on removing terribly insecure authentication methods like md5 and
> > ldap though ...
>
> Wait, what's insecure about LDAP?
We pass a completely cleartext password to the server from the client.
Yes, we might encrypt it on the way with TLS, but even SSH realized how
terrible that is long, long ago and strongly discourages it these days.
The problem with ldap as an auth method is that a single compromised PG
server in an AD/ldap environment can collect up those username+password
credentials and gain access to those users *domain* level access. The
CFO logging into a PG server with LDAP auth is giving up their complete
access credentials to the entire AD domain. That's terrible.
> I think we should eventually remove MD5, but I think there's no rush.
I disagree- it's a known pass-the-hash vulnerability and frankly every
release we do with it still existing is deserving of an immediate CVE
(I've been asked off-list why we don't do this, in fact).
> People who care about security will have already switched, and people
> who don't care about security are not required to start caring.
I wish it were this simple. It's just not though.
> Eventually the maintenance burden will become large enough that it
> makes sense to phase it out for that reason, but I haven't seen any
> evidence that we're anywhere close to that point.
This seems to invite the idea that what people who care about this need
to do is make it painful for us to continue to keep it around, which I
really don't think is best for anyone. We know it's bad, we know it is
broken, we need to remove it, not pretend like it's not broken or not
bad.
Thanks,
Stephen
Attachments:
[application/pgp-signature] signature.asc (833B, ../[email protected]/2-signature.asc)
download
view thread (5+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: [HACKERS] Changing references of password encryption to hashing
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox