On Thu, Mar 3, 2022 at 11:50 PM Tatsuo Ishii <ishii@sraoss.co.jp> wrote:
>
> >> So, dropping plaintext password authentication support from libpq will
> >> make it impossible for users to use the former method.
> >
> > Yes, just like dropping support for md5 would make it impossible for
> > users to have their passwords be hashed with md5, which is an altogether
> > good thing considering how easy it is to brute-force md5 these days.
>
> I still don't understand why using plaintex password authentication
> over SSL connection is considered insecure. Actually we have been
> stating opposite in the manual:
> https://www.postgresql.org/docs/14/auth-password.html
>
> "If the connection is protected by SSL encryption then password can be
> used safely, though."
If you aren't doing client verification (i.e., cert in pg_hba) and are
not doing verify-full on the client side then a man-in-the-middle
attack on TLS is trivial, and the plaintext password will be
sniffable.
The documentation should be updated to say under no circumstances is this safe.