On 5/26/23 6:47 PM, Jacob Champion wrote:
> On Thu, May 25, 2023 at 6:10 PM Jonathan S. Katz <jkatz@postgresql.org> wrote:
>> + To prevent server spoofing from occurring when using
>> + <link linkend="auth-password">scram-sha-256</link> password authentication
>> + over a network, you should ensure you are connecting using SSL.
>
> seems to backtrack on the recommendation -- you have to use
> sslmode=verify-full, not just SSL, to avoid handing a weak(er) hash to
> an untrusted party.
The above assumes that the reader reviewed the previous paragraph and
followed the guidelines there. However, we can make it explicit. Please
see attached.
Thanks,
Jonathan