Re: md5 auth procotol - can it be replayed?
| От | Nagy László Zsolt |
|---|---|
| Тема | Re: md5 auth procotol - can it be replayed? |
| Дата | |
| Msg-id | 572E2B83.10908@shopzeus.com обсуждение исходный текст |
| Ответ на | Re: md5 auth procotol - can it be replayed? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-admin |
>> There is a challenge/response compoent, so the md5 hash which is stored >> is not what is sent across the wire. That prevents replay attacks when >> the attacker is simply sniffing the network. > Worth noting here is that the challenge key space is not all that huge, > so an attacker who captures a large number of challenge/response pairs > would have a good probability of being able to answer the next challenge > successfully. However, if you're concerned about sniffing of your > database connections happening on that scale, you really ought to be using > SSL encryption which would make the whole thing moot. In many cases, > capturing a database session would reveal lots of interesting data passing > over the wire whether or not you'd captured a usable password --- so I'd > call it fairly irresponsible to not be using SSL if you think your > connection is open to sniffing. Thank you for your responses, this is exactly what I was looking for.
В списке pgsql-admin по дате отправления: