On 09/07/17 18:47, Victor Drobny wrote:
> Hello,
>
> Despite the addition of SCRAM authentification to PostgreSQL 10, MITM
> attack can be performed by saying that the server supports, for
> example, only md5 authentication. The possible solution for it is
> checking authentification method on a client side and reject
> connections that could be unsafe.
>
> Postgresql server can require unencrypted password passing, md5,
> scram, gss or sspi authentification.
Hi Victor.
Precisely yesterday I initiated a similar thread:
https://www.postgresql.org/message-id/d4098ef4-2910-c8bf-f1e3-f178ba77c381%408kdata.com
I think that a) the mere auth mechanism is not enough (channel
binding or not, ssl or not, change a lot the effective security
obtained) and b) maybe a categorization is a better way of specifying a
connection security requirements.
What's your opinion on this? Any answer should also be coordinated
among the drivers.
Álvaro
--
Álvaro Hernández Tortosa
-----------
<8K>data
