On Fri, Oct 4, 2019 at 3:42 AM Stephen Frost <sfrost@snowman.net> wrote:
> It doesn't seem like it would require > much work at all to construct an argument that a hacker might enjoy > having unfettered access to pg_clog even if no other part of the > database can be read.
The question isn't about what hackers would like to have access to, it's about what would actually provide them with a channel to get information that's sensitive, and at what rate. Perhaps there's an argument to be made that clog would provide a high enough rate of information that could be used to glean sensitive information, but that's certainly not an argument that's been put forth, instead it's the knee-jerk reaction of "oh goodness, if anything isn't encrypted then hackers will be able to get access to everything" and that's just not a real argument.
Huh. That is *exactly* the argument I made. Though granted the example was on multixact primarily, because I think that is much more likely to leak interesting information, but the basis certainly applies to all the metadata.
