On Fri, Jul 29, 2016 at 4:13 PM, Bruce Momjian <br...@momjian.us> wrote: > Yes, I am thinking of a case where Postgres is down but a malevolent > user starts a Postgres server on 5432 to gather passwords.
Or someone spoofs your DNS lookup, which is an attack that can actually be done remotely in some cases. For what it's worth the SCRAM work also addresses precisely this danger though it doesn't prevent the attacker from pretending to be a real server and capturing private data from the SQL updates. Even in the case where there's no known server certificate it could save the fingerprint seen once and require it not change. This proves to be a headache to manage though. It's equivalent to the SSH known_hosts scheme. How many times have you seen that warning message and just automatically removed the entry in known_hosts without verifying... One day DNSSEC will solve all these problems though. Then you'll just store the certificate in the DNS entry for the server and the client will insist it match. -- greg -- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers