Re: postgresql.key secure storage
| От | Sam Mason |
|---|---|
| Тема | Re: postgresql.key secure storage |
| Дата | |
| Msg-id | 20090914163709.GZ5407@samason.me.uk обсуждение исходный текст |
| Ответ на | Re: postgresql.key secure storage (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-general |
On Mon, Sep 14, 2009 at 12:17:55PM -0400, Tom Lane wrote: > Sam Mason <sam@samason.me.uk> writes: > > On Mon, Sep 14, 2009 at 05:45:14PM +0200, Saleem EDAH-TALLY wrote: > >> How can a user extract data from a container, by whatever > >> name we call it, if he does not have the key to open it ? > > > Exactly the same way that libpq does--debuggers are powerful tools! > > Or even easier, modify the source code of libpq to print out the data > after it's extracted it. Yup, I suppose you could even modify libpq to rewrite the "good" SQL into whatever the attackers wants--bypassing any secret based scheme completely. > Security in an open-source world requires > a different set of tools than security in a closed-source world. Strictly speaking, a debugger is the universal mallet :) Also, it shouldn't change much. Security through obscurity is never good, it is employed far too often though thankfully (a bit) less in open-source programs. -- Sam http://samason.me.uk/
В списке pgsql-general по дате отправления: