On Wed, Oct 22, 2014 at 3:12 PM, Dag-Erling Smørgrav <des@des.no> wrote:
Tom Lane <tgl@sss.pgh.pa.us> writes: > This looks to me like re-fighting the last war. Such a GUC has zero value > *unless* some situation exactly like the POODLE bug comes up again, and > the odds of that are not high.
Many people would have said the exact same thing before POODLE, and BEAST, and CRIME, and Heartbleed. You never know what sort of bugs or weaknesses will show up or when; all you know is that there are a lot of people working very hard to find these things and exploit them, and that they *will* succeeded, again and again and again. You can gamble that PostgreSQL will not be vulnerable due to specific details of its protocol or how it uses TLS, but that's a gamble which you will eventually lose.
There are some companies, without naming them, that have increased the resources dedicated to analyze existing security protocols and libraries, so even if the chances are low, IMO the occurence that similar problems show up are getting to increase wit the time.
> Moreover, the GUC could easily be misused to decrease rather than increase > one's security, if it's carelessly set.
That's the user's responsibility.
I actually just had a user knocking about having a way to control the protocols used by server... So, changing my opinion on the matter, that would be nice to have even such a parameter on back-branches, with 'default' to let the server decide which one is better.
