Re: reducing our reliance on MD5
| От | Álvaro Hernández Tortosa |
|---|---|
| Тема | Re: reducing our reliance on MD5 |
| Дата | |
| Msg-id | 54DB52FB.4060701@nosys.es обсуждение исходный текст |
| Ответ на | Re: reducing our reliance on MD5 (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
On 11/02/15 02:30, Tom Lane wrote:
> [...]
>
>
> I think it would be wise to take two steps back and think about what
> the threat model is here, and what we actually need to improve.
> Offhand I can remember two distinct things we might wish to have more
> protection against:
>
> * scraping of passwords off the wire protocol (but is that still
> a threat in an SSL world?). Better salting practice would do more
> than replacing the algorithm as such for this, IMO.
mitm
We might consider it our problem or not, but in general terms
man-in-the-middle attacks, which are easy to implement in many
scenarios, are a scraping problem. In particular, I have seen tons of
developers turn off SSL validation during development and not turning
back it on for production, leaving servers vulnerable to password
scraping under mitm attacks. So I would always considering hashing anyway.
SCRAM seems to be a good solution anyway.
Regards,
Álvaro
В списке pgsql-hackers по дате отправления: