Thread: ssl and/or md5 encryption
Hi: I specify md5 encryption in my pg_hba.conf file. Would using SSL on top of this be overkill? Thanks
On Wed, Nov 30, 2005 at 08:24:34AM -0500, Colton A Smith wrote: > I specify md5 encryption in my pg_hba.conf file. Would using SSL on > top of this be overkill? Specifying md5 in pg_hba.conf affects only password authentication; everything else will be sent in cleartext. What's your threat model? What do you want to secure? Just authentication, or data transfer as well? -- Michael Fuhr
On Wed, Nov 30, 2005 at 08:24:34 -0500, Colton A Smith <smith@cs.utk.edu> wrote: > > I specify md5 encryption in my pg_hba.conf file. Would using SSL on > top of this be overkill? md5 password hashing doesn't buy a whole lot. If packet sniffing is a significant threat for you, you probably want to consider forcing clients to use ssl. If you have cpu cycles to burn, you probably also want to use it.