Re: cryptography, was Drawbacks of using BYTEA for PK?
| От | Keith C. Perry |
|---|---|
| Тема | Re: cryptography, was Drawbacks of using BYTEA for PK? |
| Дата | |
| Msg-id | 1074009867.4004170bc1f34@webmail.vcsn.com обсуждение исходный текст |
| Ответ на | cryptography, was Drawbacks of using BYTEA for PK? ("Chris Travers" <chris@travelamericas.com>) |
| Ответы |
Re: cryptography, was Drawbacks of using BYTEA for PK?
|
| Список | pgsql-general |
Quoting Chris Travers <chris@travelamericas.com>: > From: "Keith C. Perry" <netadmin@vcsn.com> > > Using an MD5 hash to > > "hide" them will slow your app down by some delta and not protect your > > connection. Granted garbling that id with a password is somewhat more > secure > > but your connection could still be attacked or even hijacked. > > > > In the URL's you gave above, why are you not using HTTPS (i.e. > authentication)? > > What about using a crytographic cookies to identify your session and link > that > > to you userid (after authorization)? > > Https I can see. I am having difficulty understanding how you could use > cryptographic cookies to prevent session hijacking though given the current > setup. Cryptographic cookies are actually how TCP SYN flood protection is done on Linux and I think Solaris so in my case the OS is handling that. What is implemented there could be implemented at the application layer but I don't think that becomes valid once you are using HTTPS since is provide similar facilities. In my applications, I simply have Apache push a cookie to the browser (during authorization) which is then used as the session key. Additionally, I almost always use POST methods instead of GET (I hate exposing application logic that way). Ever time a user does something, the presence of that cookie is checked in the database. > Also you could use ssl between the web server and PostgreSQL to > secure that connection. True but that is only half the story. You're client interface is what is public. I would SSL the web <--> db connection as a standard but I would be less concerned about (what I'm assumming is) a local connection behind the DMZ. > As a side question: Does PostgreSQL support using Kerberos for encrypted > connections (beyond authentication), or do you need to use SSL for that? > > Best Wishes, > Chris Travers > Not sure about that one but if so, I'm sure someone will speak up :) -- Keith C. Perry, MS E.E. Director of Networks & Applications VCSN, Inc. http://vcsn.com ____________________________________ This email account is being host by: VCSN, Inc : http://vcsn.com
В списке pgsql-general по дате отправления: