On Wed, Jul 11, 2001 at 01:24:53PM +1000, Michael Samuel wrote: > The crypt authentication currently used offers _no_ security. ... > Of course, SSL *if done correctly with certificate verification* is the > correct fix. If no certificate verification is done, you fall victim to > a man-in-the-middle attack. It seems worth noting here that you don't have to depend on SSL authentication; PG can do its own authentication over SSL and avoid the man-in-the-middle attack that way. Of course, PG would have to do its authentication properly, e.g. with the HMAC method. That seems better than depending on SSL authentication, because SSL certification seems to be universally misconfigured. Nathan Myers [EMAIL PROTECTED] ---------------------------(end of broadcast)--------------------------- TIP 4: Don't 'kill -9' the postmaster
- Re: [HACKERS] Re: Encrypting pg_shadow passwords Tom Lane
- Re: [HACKERS] Re: Encrypting pg_shadow password... Tom Lane
- Re: [HACKERS] Re: Encrypting pg_shadow password... Tom Lane
- Re: [HACKERS] Re: Encrypting pg_shadow password... Trond Eivind Glomsrød
- Re: [HACKERS] Re: Encrypting pg_shadow password... Trond Eivind Glomsrød
- Re: [HACKERS] Re: Encrypting pg_shadow password... Trond Eivind Glomsrød
- Re: [HACKERS] Re: Encrypting pg_shadow password... Michael Samuel
- Re: [HACKERS] Re: Encrypting pg_shadow pass... Nathan Myers
- Re: [HACKERS] Re: Encrypting pg_shadow password... Bruce Momjian
- Re: [HACKERS] Re: Encrypting pg_shadow password... Michael Samuel
- Re: [HACKERS] Re: Encrypting pg_shadow pass... Bruce Momjian
- Re: [HACKERS] Re: Encrypting pg_shadow password... Bruce Momjian
- Re: [HACKERS] Re: Encrypting pg_shadow pass... Michael Samuel
