Home > mailing lists

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

From	Heikki Linnakangas
Subject	Re: SCRAM with channel binding downgrade attack
Date	May 28, 2018 15:26:37
Msg-id	dea8f83f-9626-a56d-6137-7a23c97f7adf@iki.fi Whole thread Raw
In response to	Re: SCRAM with channel binding downgrade attack (Michael Paquier <michael@paquier.xyz>)
Responses	Re: SCRAM with channel binding downgrade attack (Michael Paquier <michael@paquier.xyz>)
List	pgsql-hackers

Tree view

On 28/05/18 12:20, Michael Paquier wrote:
> On Mon, May 28, 2018 at 12:00:33PM +0300, Heikki Linnakangas wrote:
>> That's not a new problem, but it makes the MITM protection fairly pointless,
>> if a fake server can acquire the user's password by simply asking for it.
>> The client will report a failed connection, but with the user's password,
>> Mallory won't need to act as a MITM anymore.
> 
> Yeah, I know..  Do you think that it would be better to add an extra
> switch/case at the beginning of pg_fe_sendauth which filters and checks
> per message types then?

Sounds good.

- Heikki

pgsql-hackers by date:

From: Michael Paquier
Date: 28 May 2018, 15:20:02
Subject: Re: SCRAM with channel binding downgrade attack

From: Yuriy Zhuravlev
Date: 28 May 2018, 15:32:43
Subject: Re: Is a modern build system acceptable for older platforms

Re: SCRAM with channel binding downgrade attack - Mailing list pgsql-hackers

Previous

Next