From: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Alvaro Herrera <alvherre(at)commandprompt(dot)com>, pgsql-hackers(at)postgresql(dot)org, Magnus Hagander <magnus(at)hagander(dot)net> |
Subject: | Re: Replay attack of query cancel |
Date: | 2008-08-17 02:24:46 |
Message-ID: | 87r68o5qfl.fsf@news-spur.riddles.org.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
>>>>> "Tom" == Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
>> Andrew Gierth wrote:
>>> 2. The server accepts either the old-style or the secure cancel
>>> request from the client, but doesn't allow old-style requests
>>> once a valid secure request has been seen.
>> Hmm, I think there should be a way to turn off acceptance of
>> old-style without necessarily requiring a new-style request.
>> Otherwise, how are you protected from DoS if you have never sent a
>> cancel request at all?
Tom> Assuming you were using SSL, it's hard to see how an attacker is
Tom> going to get your cancel key without having seen a cancel
Tom> request.
Tom> However, I dislike Andrew's proposal above even without that
Tom> issue, because it means *still more* changeable state that has
Tom> to be magically shared between postmaster and backends.
You get it for free; initialize N on the server side to 0, and accept
old-style cancels only if it is still 0. (Require the first secure
cancel to have N > 0)
--
Andrew.
From | Date | Subject | |
---|---|---|---|
Next Message | Pavel Stehule | 2008-08-17 06:06:43 | Re: proposal sql: labeled function params |
Previous Message | Tom Lane | 2008-08-17 01:46:08 | Re: Replay attack of query cancel |