On Mon, Apr 13, 2015 at 9:38 AM, Heikki Linnakangas <hlinn...@iki.fi> wrote: > On 04/10/2015 05:17 AM, Robert Haas wrote: >> >> On Apr 9, 2015, at 8:51 PM, Heikki Linnakangas <hlinn...@iki.fi> wrote: >>> >>> What should we do about this? >> >> >> I bet that there are at least 1000 covert channel attacks that are more >> practically exploitable than this. > > > Care to name some? This is certainly quite cumbersome to exploit, but it's > doable. > > We've talked a lot about covert channels and timing attacks on RLS, but this > makes me more worried because you can attack passwords stored in pg_authid.
Isn't the attack mentioned on this thread true as long as a user knows that a given table stores a password? I don't see why this would be limited to pg_authid. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
