Home > mailing lists

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: SCRAM with channel binding downgrade attack
Date	June 7, 2018 02:26:00
Msg-id	8228733d-9a32-ea87-9352-dede06ba686b@iki.fi Whole thread Raw
In response to	Re: SCRAM with channel binding downgrade attack (Peter Eisentraut <peter.eisentraut@2ndquadrant.com>)
Responses	Re: SCRAM with channel binding downgrade attack
List	pgsql-hackers

Tree view

On 06/06/18 23:20, Peter Eisentraut wrote:
> Aren't we attacking this on the wrong level?  We are here attempting to
> prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not
> preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade.

The latest patch does prevent that, too. That was my complaint at 
https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi, 
but it's been fixed now. (Or if you see a case where it still isn't, 
that's a bug.)

- Heikki

pgsql-hackers by date:

From: Andrew Gierth
Date: 07 June 2018, 02:25:14
Subject: Re: Why is fncollation in FunctionCallInfoData rather than fmgr_info?

From: Peter Eisentraut
Date: 07 June 2018, 02:31:36
Subject: Re: SCRAM with channel binding downgrade attack

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

Previous

Next