Magnus Hagander <magnus@hagander.net> writes:
> Tom Lane wrote:
>> Having a connection that
>> was encrypted in 8.3 silently become clear-text after installing 8.4
>> is just plain NOT acceptable.
>>
>> I think the patch would be fine if we simply keep the default where
>> it is, however. Is there some point I am missing that compels
>> selection of a less-secure default?
> The current default *makes no sense*. Ever. Not just as a default.
I categorically reject that thinking. Encrypted connections are useful
even without authentication. Your argument ignores the real fact that
eavesdropping is easier than man-in-the-middle attacks. Even if there
weren't any significant difference, what is the gain from switching to
unencrypted in cases where we previously used encryption? There is
none.
> However, I can see us having "allow" instead of "disable" as the
> default. That is the most forgiving of all settings - it will work with
> whatever you had configured before.
And it still moves us to "less secure than 8.3 by default", because
configurations that formerly used encrypted connections might now use
unencrypted ones. It's not acceptable.
regards, tom lane