On 09/07/17 18:47, Victor Drobny wrote:

Despite the addition of SCRAM authentification to PostgreSQL 10, MITM attack can be performed by saying that the server supports, for example, only md5 authentication. The possible solution for it is checking authentification method on a client side and reject connections that could be unsafe.

Postgresql server can require unencrypted password passing, md5, scram, gss or sspi authentification.

    Hi Victor.

Precisely yesterday I initiated a similar thread: https://www.postgresql.org/message-id/d4098ef4-2910-c8bf-f1e3-f178ba77c381%408kdata.com

I think that a) the mere auth mechanism is not enough (channel binding or not, ssl or not, change a lot the effective security obtained) and b) maybe a categorization is a better way of specifying a connection security requirements.

What's your opinion on this? Any answer should also be coordinated among the drivers.



Álvaro Hernández Tortosa


Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to