Re: md5 auth procotol - can it be replayed? - Mailing list pgsql-admin

From Nagy László Zsolt
Subject Re: md5 auth procotol - can it be replayed?
Date
Msg-id 572E2B83.10908@shopzeus.com
Whole thread Raw
In response to Re: md5 auth procotol - can it be replayed?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-admin
>> There is a challenge/response compoent, so the md5 hash which is stored
>> is not what is sent across the wire.  That prevents replay attacks when
>> the attacker is simply sniffing the network.
> Worth noting here is that the challenge key space is not all that huge,
> so an attacker who captures a large number of challenge/response pairs
> would have a good probability of being able to answer the next challenge
> successfully.  However, if you're concerned about sniffing of your
> database connections happening on that scale, you really ought to be using
> SSL encryption which would make the whole thing moot.  In many cases,
> capturing a database session would reveal lots of interesting data passing
> over the wire whether or not you'd captured a usable password --- so I'd
> call it fairly irresponsible to not be using SSL if you think your
> connection is open to sniffing.
Thank you for your responses, this is exactly what I was looking for.



pgsql-admin by date:

Previous
From: Tom Lane
Date:
Subject: Re: md5 auth procotol - can it be replayed?
Next
From: koff10
Date:
Subject: postgres_fdw for porstgresql 9.2 installation