Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: SCRAM with channel binding downgrade attack |
| Date | |
| Msg-id | CABUevEy3yBkrQjWv3U_XA12HeKzRcF6_9DPZpkZ-fSwp6dP3AA@mail.gmail.com Whole thread Raw |
| In response to | Re: SCRAM with channel binding downgrade attack (Michael Paquier <michael@paquier.xyz>) |
| List | pgsql-hackers |
On Wed, May 23, 2018 at 10:56 AM, Michael Paquier <michael@paquier.xyz> wrote:
On Wed, May 23, 2018 at 08:59:43AM +0200, Magnus Hagander wrote:
> On Wed, May 23, 2018 at 8:46 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> "tls-unique" and "tls-server-end-point" are overly technical to users.
>> They don't care which one is used, there's no difference in security.
>> Furthermore, if we add another channel binding type in the future, perhaps
>> because someone finds a vulnerability in those types and a new one is added
>> to address it, users would surely like to be automatically switched over to
>> the new binding type. If they have "tls-unique" hardcoded in connection
>> strings, that won't happen.
>>
>> So I think the options should be "prefer", "disable", and "require".
>> That's also symmetrical with sslmode, which is nice.
OK, being able to introduce a new default if necessary is a good point.
Let's introduce a "require" mode then, which uses tls-unique
underground, while "tls-unique" and "tls-server-end-point" are
documented as developer-oriented.
> As a general point, I still don't like being symmetrical with
> sslmode=prefer, because that's a silly setting for sslmode :) It basically
> says "I don't care about the security guarantees, I just want the overhead
> please". Now, granted, the over head for SCRAM channel-binding is certainly
> a lot less than it is for TLS. But if we just want to go with symmetry, it
> would perhaps make more sense to implement the "allow" mode which makes
> more sense on the TLS side as well.
Something that you may be forgetting here is that we still want to be
able to connect to a v10 backend with default options even with a
post-v11 libpq. Or we will get complaints.
Right. Having a mode called "allow" and having that be default would work fine in this case, wouldn't it?
(That is, my suggestion is to implement "allow", "disable" and "require", and to make "allow" the default)
>> It would be nice to have a libpq setting like
>> "authenticate_server=require", which would mean "I want man-in-the-middle
>> protection".
>
> That seems like a bad name for such a thing. Shouldn't it be
> "authenticate_server=no_man_in_the_middle" (not those words but you get the
> idea). Specifically, protecting against man in the middle attack does not
> equal authenticating server -- you can still be connected to the wrong
> server just with no second attacker between you and the first
> attacker.
Still that's not something we want for v11, right?
Agreed.
>> With that, a connection would be allowed, if either the server's SSL
>> certificate is verified as with "sslmode=verify-full", *or* SCRAM
>> authentication with channel binding was used. Or perhaps cram it into
>> sslmode, "sslmode=verify-full-or-scram-channel-binding", just with a
>> nicer name. (We can do that after v11 though, I think.)
>
> sslmode=verify-full is very different from SCRAM with channel binding,
> isn't it? As in, SCRAM with channel binding at no point proves which server
> you're talking to -- only that you are talking to the SSL endpoint? It
> could be a rogue SSL endpoint unless you do certificate validation.
And the reverse is true as well, say the CA is compromised..
Well, sure. But scram channel binding doesn't protect you there, so you're screwed either way if that happens.
pgsql-hackers by date: