Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> I agree the attack is less likely to be applicable in typical database
> installations. I think we should move forward with considering protocol
> compression proposals, but any final result should put a warning in the
> documentation that using compression is potentially insecure.
It seemed like the attack you described wasn't all that dependent on
whether the data is compressed or not: if you can see the size of the
server's reply to "select ... where account_number = x", you can pretty
well tell the difference between 0 and 1 rows, with or without
compression. So I'm still not very clear on what the threat model is.
regards, tom lane