Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers
| From | Michael Paquier |
|---|---|
| Subject | Re: SCRAM with channel binding downgrade attack |
| Date | |
| Msg-id | 20180523085619.GA1149@paquier.xyz Whole thread Raw |
| In response to | Re: SCRAM with channel binding downgrade attack (Magnus Hagander <magnus@hagander.net>) |
| Responses |
Re: SCRAM with channel binding downgrade attack
Re: SCRAM with channel binding downgrade attack |
| List | pgsql-hackers |
On Wed, May 23, 2018 at 08:59:43AM +0200, Magnus Hagander wrote: > On Wed, May 23, 2018 at 8:46 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: >> "tls-unique" and "tls-server-end-point" are overly technical to users. >> They don't care which one is used, there's no difference in security. >> Furthermore, if we add another channel binding type in the future, perhaps >> because someone finds a vulnerability in those types and a new one is added >> to address it, users would surely like to be automatically switched over to >> the new binding type. If they have "tls-unique" hardcoded in connection >> strings, that won't happen. >> >> So I think the options should be "prefer", "disable", and "require". >> That's also symmetrical with sslmode, which is nice. OK, being able to introduce a new default if necessary is a good point. Let's introduce a "require" mode then, which uses tls-unique underground, while "tls-unique" and "tls-server-end-point" are documented as developer-oriented. > As a general point, I still don't like being symmetrical with > sslmode=prefer, because that's a silly setting for sslmode :) It basically > says "I don't care about the security guarantees, I just want the overhead > please". Now, granted, the over head for SCRAM channel-binding is certainly > a lot less than it is for TLS. But if we just want to go with symmetry, it > would perhaps make more sense to implement the "allow" mode which makes > more sense on the TLS side as well. Something that you may be forgetting here is that we still want to be able to connect to a v10 backend with default options even with a post-v11 libpq. Or we will get complaints. >> It would be nice to have a libpq setting like >> "authenticate_server=require", which would mean "I want man-in-the-middle >> protection". > > That seems like a bad name for such a thing. Shouldn't it be > "authenticate_server=no_man_in_the_middle" (not those words but you get the > idea). Specifically, protecting against man in the middle attack does not > equal authenticating server -- you can still be connected to the wrong > server just with no second attacker between you and the first > attacker. Still that's not something we want for v11, right? >> With that, a connection would be allowed, if either the server's SSL >> certificate is verified as with "sslmode=verify-full", *or* SCRAM >> authentication with channel binding was used. Or perhaps cram it into >> sslmode, "sslmode=verify-full-or-scram-channel-binding", just with a >> nicer name. (We can do that after v11 though, I think.) > > sslmode=verify-full is very different from SCRAM with channel binding, > isn't it? As in, SCRAM with channel binding at no point proves which server > you're talking to -- only that you are talking to the SSL endpoint? It > could be a rogue SSL endpoint unless you do certificate validation. And the reverse is true as well, say the CA is compromised.. -- Michael
Attachment
pgsql-hackers by date: