On Wed, Apr 15, 2015 at 9:42 PM, Michael Paquier <michael.paqu...@gmail.com> wrote: > On Wed, Apr 15, 2015 at 9:20 PM, Michael Paquier > <michael.paqu...@gmail.com> wrote: >> On Wed, Apr 15, 2015 at 2:22 PM, Fujii Masao wrote: >>> On Wed, Apr 15, 2015 at 11:55 AM, Michael Paquier wrote: >>>> 1) Doc patch to mention that it is possible that compression can give >>>> hints to attackers when working on sensible fields that have a >>>> non-fixed size. >>> >>> I think that this patch is enough as the first step. >> >> I'll get something done for that at least, a big warning below the >> description of wal_compression would do it.
So here is a patch for this purpose, with the following text being used: + <warning> + <para> + When enabling <varname>wal_compression</varname>, there is a risk + to leak data similarly to the BREACH and CRIME attacks on SSL where + the compression ratio of a full page image gives a hint of what is + the existing data of this page. Tables that contain sensitive + information like <structname>pg_authid</structname> with password + data could be potential targets to such attacks. Note that as a + prerequisite a user needs to be able to insert data on the same page + as the data targeted and need to be able to detect checkpoint + presence to find out if a compressed full page write is included in + WAL to calculate the compression ratio of a page using WAL positions + before and after inserting data on the page with data targeted. + </para> + </warning> Comments and reformulations are welcome. Regards, -- Michael
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index b30c68d..2f61e29 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -2303,6 +2303,22 @@ include_dir 'conf.d' but at the cost of some extra CPU spent on the compression during WAL logging and on the decompression during WAL replay. </para> + + <warning> + <para> + When enabling <varname>wal_compression</varname>, there is a risk + to leak data similarly to the BREACH and CRIME attacks on SSL where + the compression ratio of a full page image gives a hint of what is + the existing data of this page. Tables that contain sensitive + information like <structname>pg_authid</structname> with password + data could be potential targets to such attacks. Note that as a + prerequisite a user needs to be able to insert data on the same page + as the data targeted and need to be able to detect checkpoint + presence to find out if a compressed full page write is included in + WAL to calculate the compression ratio of a page using WAL positions + before and after inserting data on the page with data targeted. + </para> + </warning> </listitem> </varlistentry>
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers