On 12/20/11 13:46, Dmitry Yemanov wrote: > 20.12.2011 12:57, Alex Peshkoff wrote: > >> Certainly, and it's already done. With one exception - FB3 protocol >> begins authentication inside op_connect. That's absolutely backward >> compatible - I've added new tags to CNCT_ID block, and they are >> certainly just ignored by older servers. For FB3 client-server pair this >> helps to avoid extra roundtrip when attaching database. > I don't mind an extra round-trip during the attach call if it would make > the scheme more secure. But it doesn't seem to be the case here. > Yes, it's not a case here. What about extra round-trip - suppose extra round-trips is one of main reasons why our performance on WAN is not good compared with MySQL. Taking into an account that WAN tasks are often 'attach/execute single statement/detach' I prefer to avoid it even in attach call. >> connect: client's public key, login and database name => server >> accept: (server ignored SRP info) => client >> attach: legacy password_enc => server >> response: success if password is correct > So, by "compromised" you mean that the password intended for the secure > communication is encoded using the weak legacy encryption routine and > sent over-the-wire? >
yes > Honestly, I don't see how it can be avoided in general. We either make > the auth configurable on the client (which we'd like to avoid) or > introduce some runtime control (e.g. isc_dpb_sec_password) that prevents > the password to be sent using the non-SRP way. But this requires > application developers to care about the security which does not look > like a good option either. > If we talk about such tricks, there is much more general approach. Sometimes ago we were talking about getting firebird.conf entries from environment. If we have such feature - application can easily change list of auth plugins. > So perhaps a warning could be enough. A one-time user error is unlikely > to make the system immediately broken but [provided the warning has been > seen] If user does not read what is written on the screen, we can't help this. Though typically they do not read error (moreover warning) texts. > it would prevent this from happening again. Our warning text may suggest to change password if it was entered for wrong server. Afraid we can't help with this any more. Probably in FB4 turn off legacy default. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
