Re: cryptography, was Drawbacks of using BYTEA for PK?

Поиск
Список
Период
Сортировка
От Keith C. Perry
Тема Re: cryptography, was Drawbacks of using BYTEA for PK?
Дата
Msg-id 1074009867.4004170bc1f34@webmail.vcsn.com
обсуждение исходный текст
Ответ на cryptography, was Drawbacks of using BYTEA for PK?  ("Chris Travers" <chris@travelamericas.com>)
Ответы Re: cryptography, was Drawbacks of using BYTEA for PK?  (Greg Stark <gsstark@mit.edu>)
Список pgsql-general
Дерево обсуждения 
Quoting Chris Travers <chris@travelamericas.com>:

> From: "Keith C. Perry" <netadmin@vcsn.com>
> > Using an MD5 hash to
> > "hide" them will slow your app down by some delta and not protect your
> > connection.  Granted garbling that id with a password is somewhat more
> secure
> > but your connection could still be attacked or even hijacked.
> >
> > In the URL's you gave above, why are you not using HTTPS (i.e.
> authentication)?
> >  What about using a crytographic cookies to identify your session and link
> that
> > to you userid (after authorization)?
>
> Https I can see.  I am having difficulty understanding how you could use
> cryptographic cookies to prevent session hijacking though given the current
> setup.

Cryptographic cookies are actually how TCP SYN flood protection is done on Linux
and I think Solaris so in my case the OS is handling that.  What is implemented
there could be implemented at the application layer but I don't think that
becomes valid once you are using HTTPS since is provide similar facilities.

In my applications, I simply have Apache push a cookie to the browser (during
authorization) which is then used as the session key.  Additionally, I almost
always use POST methods instead of GET (I hate exposing application logic that
way).  Ever time a user does something, the presence of that cookie is checked
in the database.

> Also you could use ssl between the web server and PostgreSQL to
> secure that connection.

True but that is only half the story.  You're client interface is what is
public.  I would SSL the web <--> db connection as a standard but I would be
less concerned about (what I'm assumming is) a local connection behind the DMZ.

> As a side question:  Does PostgreSQL support using Kerberos for encrypted
> connections (beyond authentication), or do you need to use SSL for that?
>
> Best Wishes,
> Chris Travers
>

Not sure about that one but if so, I'm sure someone will speak up  :)

--
Keith C. Perry, MS E.E.
Director of Networks & Applications
VCSN, Inc.
http://vcsn.com

____________________________________
This email account is being host by:
VCSN, Inc : http://vcsn.com

В списке pgsql-general по дате отправления:

Предыдущее
От: "John Sidney-Woollett"
Дата:
Сообщение: Re: Nested transaction workaround?
Следующее
От: "Keith G. Murphy"
Дата:
Сообщение: Best practice? Web application: single PostgreSQL user vs. multiple users