Re: SCRAM with channel binding downgrade attack

On 06/06/18 23:31, Peter Eisentraut wrote:
> On 6/6/18 16:26, Heikki Linnakangas wrote:
>> On 06/06/18 23:20, Peter Eisentraut wrote:
>>> Aren't we attacking this on the wrong level?  We are here attempting to
>>> prevent a SCRAM-SHA-256-PLUS -> SCRAM-SHA-256 downgrade, but we are not
>>> preventing a SCRAM-SHA-256-PLUS -> anything-else downgrade.
>>
>> The latest patch does prevent that, too. That was my complaint at
>> https://www.postgresql.org/message-id/030284cc-d1d6-ce88-b677-a814f61c1880%40iki.fi,
>> but it's been fixed now. (Or if you see a case where it still isn't,
>> that's a bug.)
> 
> OK, that would do, but we don't do anything about a SCRAM-SHA-256 ->
> anything-else downgrade.  Instead of tying this to the channel binding,
> should we tie it to the authentication type?

That would certainly be good. We've always had that problem, even with 
md5 -> plaintext password downgrade, and it would be nice to fix it. 
It's quite late in the release cycle already, do you think we should 
address that now? I could go either way..

What should the option look like? Perhaps something like:

allowed_authentication_methods=md5,SCRAM-SHA-256,SCRAM-SHA-256-PLUS

That would not be very user-friendly, though.

- Heikki