| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Replay attack of query cancel |
| Date: | 2008-11-21 04:31:21 |
| Message-ID: | 200811210431.mAL4VLd22226@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
This bug has not been fixed, but it is on the TODO list:
o Prevent query cancel packets from being replayed by an attacker,
especially when using SSL
I am going to consider this item closed meaning I am not going to track
that it is fixed for 8.4; it is just documented on our TODO as a known
limitation.
---------------------------------------------------------------------------
Magnus Hagander wrote:
> Tom Lane wrote:
> > Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> >> Andrew Gierth wrote:
> >>> 2. The server accepts either the old-style or the secure cancel
> >>> request from the client, but doesn't allow old-style requests
> >>> once a valid secure request has been seen.
> >
> >> Hmm, I think there should be a way to turn off acceptance of old-style
> >> without necessarily requiring a new-style request. Otherwise, how are
> >> you protected from DoS if you have never sent a cancel request at all?
> >
> > Assuming you were using SSL, it's hard to see how an attacker is going
> > to get your cancel key without having seen a cancel request.
>
> Not only that, but he'll have to see an *old-style* cancel request,
> since the new style doesn't contain the key.
>
> And if you're *not* using SSL, the attacker can just sniff they key off
> the initial packet instead.
>
>
> > However, I dislike Andrew's proposal above even without that issue,
> > because it means *still more* changeable state that has to be magically
> > shared between postmaster and backends. If we want to have a way for
> > people to disable insecure cancels, we should just have a postmaster
> > configuration parameter that does it.
>
> Agreed. Your security policy also should not depend on what your client
> happens to do, it should be enforceable.
>
>
> //Magnus
>
>
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Philip Warner | 2008-11-21 04:45:46 | Opening a recovering DB in for read-only access? |
| Previous Message | Tom Lane | 2008-11-21 04:04:11 | Re: Updates of SE-PostgreSQL 8.4devel patches (r1197) |