Home > mailing lists

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

From	Michael Paquier
Subject	Re: SCRAM with channel binding downgrade attack
Date	May 28, 2018 15:20:02
Msg-id	20180528092002.GC27845@paquier.xyz Whole thread Raw
In response to	Re: SCRAM with channel binding downgrade attack (Heikki Linnakangas <hlinnaka@iki.fi>)
Responses	Re: SCRAM with channel binding downgrade attack (Heikki Linnakangas <hlinnaka@iki.fi>)
List	pgsql-hackers

Tree view

On Mon, May 28, 2018 at 12:00:33PM +0300, Heikki Linnakangas wrote:
> That's not a new problem, but it makes the MITM protection fairly pointless,
> if a fake server can acquire the user's password by simply asking for it.
> The client will report a failed connection, but with the user's password,
> Mallory won't need to act as a MITM anymore.

Yeah, I know..  Do you think that it would be better to add an extra
switch/case at the beginning of pg_fe_sendauth which filters and checks
per message types then?
--
Michael

Attachment

signature.asc

pgsql-hackers by date:

From: Michael Paquier
Date: 28 May 2018, 15:17:18
Subject: Re: pg_replication_slot_advance to return NULL instead of 0/0 ifslot not advanced

From: Heikki Linnakangas
Date: 28 May 2018, 15:26:37
Subject: Re: SCRAM with channel binding downgrade attack

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

Attachment

Previous

Next