> On Tue, Jun 26, 2001 at 11:02:15AM -0400, Bruce Momjian wrote:
> > This is the first time I am hearing people are more concerned about
> > pg_shadow security than the wire security. I can see cases where people
> > are on secure networks or are using only local users where having
> > pg_shadow encrypted is more important than crypt authentication.
> > Fortunately the new system will solve both problems.
>
> The crypt authentication currently used offers _no_ security. If I can
> sniff on the wire, I can hijack the tcp stream, and trick the client
> into doing password authentication.
It is my understanding that sniffing is much easier than hijacking. If
hijacking is a concern, you have to use SSL.
--
Bruce Momjian | http://candle.pha.pa.us
[EMAIL PROTECTED] | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
---------------------------(end of broadcast)---------------------------
TIP 6: Have you searched our list archives?
http://www.postgresql.org/search.mpl
