Tom Lane wrote:
> Alvaro Herrera <alvherre@commandprompt.com> writes:
>> Andrew Gierth wrote:
>>> 2. The server accepts either the old-style or the secure cancel
>>> request from the client, but doesn't allow old-style requests
>>> once a valid secure request has been seen.
>
>> Hmm, I think there should be a way to turn off acceptance of old-style
>> without necessarily requiring a new-style request. Otherwise, how are
>> you protected from DoS if you have never sent a cancel request at all?
>
> Assuming you were using SSL, it's hard to see how an attacker is going
> to get your cancel key without having seen a cancel request.
Not only that, but he'll have to see an *old-style* cancel request,
since the new style doesn't contain the key.
And if you're *not* using SSL, the attacker can just sniff they key off
the initial packet instead.
> However, I dislike Andrew's proposal above even without that issue,
> because it means *still more* changeable state that has to be magically
> shared between postmaster and backends. If we want to have a way for
> people to disable insecure cancels, we should just have a postmaster
> configuration parameter that does it.
Agreed. Your security policy also should not depend on what your client
happens to do, it should be enforceable.
//Magnus
