Dan Kaminsky wrote:
>
>> Good, then we're in agreement that far.
>>
>>
> Cool!
>> (FWIW, I don't think I've ever seen a PostgreSQL server with a
>> certificate off a global root. I've seen plenty off a corporate root
>> though, which could in theory have similar issues - but at least you're
>> in control of your own problem in that case)
>>
> OK, now describe client behavior for me. Is the average client
> configured to accept:
>
> 1) No roots (but still works for some unknown reason)
> 2) Explicitly configured corporate roots
> 3) Explicitly configured corporate roots, AND global roots
> 4) Global roots (but still works for some unknown reason)
>
> Keep in mind that at least Debian distributes a ca-certificates package,
> and I can't imagine they're alone.
My guess is you'll find both options 1 and 2 fairly often, and 3 and 4
very seldom.
(Note that if you configure libpq for no roots, it will accept any
certificate without verifying the chain)
Unless, that is, some distribution (like debian) changes the default
config there. I don't know enough about the specific distros to really
comment on that.
>> Yes, I think that's fair. You *can* do the verification yourself, but
>> libpq will not do it for you.
>>
>> Only I will claim that the common deployment, as you refer to above,
>> *is* with a custom root. PostgreSQL server are *very* seldom "published
>> to the internet", and therefor tend not to use the global CA roots.
>>
> So one of the nastier aspects of the DNS bug is that internal
> communication may get routed out to the Internet, because it's DNS that
> keeps things behind the firewall. If SSL is being used, the
> *presumption* is that there's a MITM we want to defend against.
That's one of the things, yeah, agreed. I meant the internals part only
as an argument for why you'll see most pg deployments not using global
certs.
OTOH, if your firewall lets your clients (or even worse - your webserver
or so) connect out to arbitrary machines on the PostgreSQL port, it can
easily be argued that you have a lot of homework to do elsewhere as well
;-) But that's just a mitigating factor, and not a solution.
//Magnus