Re: [HACKERS] Authentification method on client side checking

On 09/07/17 18:47, Victor Drobny wrote:
> Hello,
>
> Despite the addition of SCRAM authentification to PostgreSQL 10, MITM 
> attack can be performed by saying that the server supports, for 
> example, only md5 authentication. The possible solution for it is 
> checking authentification method on a client side and reject 
> connections that could be unsafe.
>
> Postgresql server can require unencrypted password passing, md5, 
> scram, gss or sspi authentification.
    Hi Victor.
    Precisely yesterday I initiated a similar thread: 
https://www.postgresql.org/message-id/d4098ef4-2910-c8bf-f1e3-f178ba77c381%408kdata.com
    I think that a) the mere auth mechanism is not enough (channel 
binding or not, ssl or not, change a lot the effective security 
obtained) and b) maybe a categorization is a better way of specifying a 
connection security requirements.
    What's your opinion on this? Any answer should also be coordinated 
among the drivers.

    Álvaro


-- 

Álvaro Hernández Tortosa


-----------
<8K>data