Stephen Frost <sfrost@snowman.net> writes:
> Attackers aren't likely to have the kind of isolated control over the
> data in the WAL stream (which is a combination of data from lots of
> ongoing activity in the system and isn't likely to be exactly what the
> attacker supplied at some higher level anyway) and the ability to read
> and analyze the WAL stream from a primary to a replica to be able to
> effectively attack it.
Yeah, I concur with that so far as WAL data goes. A hypothetical attacker
will not have control over xact IDs, tuple TIDs, etc, which will add
enough entropy to the stream that extracting data payloads seems pretty
infeasible.
My concern upthread was about client-session connections, where such
mitigation doesn't apply. (I wonder a bit about logical-replication
streams, too.)
regards, tom lane