Tom Lane wrote: > Alvaro Herrera <[EMAIL PROTECTED]> writes: >> Andrew Gierth wrote: >>> 2. The server accepts either the old-style or the secure cancel >>> request from the client, but doesn't allow old-style requests >>> once a valid secure request has been seen. > >> Hmm, I think there should be a way to turn off acceptance of old-style >> without necessarily requiring a new-style request. Otherwise, how are >> you protected from DoS if you have never sent a cancel request at all? > > Assuming you were using SSL, it's hard to see how an attacker is going > to get your cancel key without having seen a cancel request.
Not only that, but he'll have to see an *old-style* cancel request, since the new style doesn't contain the key. And if you're *not* using SSL, the attacker can just sniff they key off the initial packet instead. > However, I dislike Andrew's proposal above even without that issue, > because it means *still more* changeable state that has to be magically > shared between postmaster and backends. If we want to have a way for > people to disable insecure cancels, we should just have a postmaster > configuration parameter that does it. Agreed. Your security policy also should not depend on what your client happens to do, it should be enforceable. //Magnus -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
