On Wed, Apr 12, 2017 at 12:13:03PM +0300, Heikki Linnakangas wrote: > >That said, I stand by my comment that I don't think it's the enterprises > >that need or want the channel binding. If they care about it, they have > >already put certificate validation in place, and it won't buy them anything. > > > >Because channel binding also only secures the authentication (SCRAM), not > >the actual contents and commands that are then sent across the channel, > >AFAIK? > > TLS protects the contents and the commands. The point of channel binding is > to defeat a MITM attack, where the client connects to a malicious server, > using TLS, which then connects to the real server, using another TLS > connection. Channel binding will detect that the client and the real server > are not communicating over the same TLS connection, but two different TLS > connections, and make the authentication fail. > > SSL certificates, with validation, achieves the same, but channel binding > achieves it without the hassle of certificates.
How does it do that? -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription + -- Sent via pgsql-hackers mailing list (email@example.com) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers