On Fri, Sep 26, 2008 at 06:15:46PM -0400, Bruce Momjian wrote:
> I am confused how knowing that a sequence number used for a primary key
> exists or doesn't exist is leaking _meaningful_ information.
This sort of side-channel intelligence is _exactly_ how certain kinds
of security exploits work: I'm not supposed to know that _x_ exists;
but by knowing key-of-_x_, I learn that _x_ exists. From existence, I
can infer something, and from that inference I construct an attack
that was supposed to be forestalled by the access controls.
I am by no means a security expert, but I know enough about the area
to know that it is very hard to get right, and that seemingly
insignificant flaws in design turn out to be major vulnerabilities.
To speak about something I do know about, when DNS was designed,
nobody could have imagined that the widespread availability of
recursion would turn out to be a flaw. Today, it turns out that open
recursion can be used in an attack that magnifies the attacker's
outbound traffic by many orders of magnitude. This sort of surprise
side effect is why I am so anxious that something advertised as a
security system fit really well with the proposed use cases.
A
--
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/