Re: RFC 9266: Channel Bindings for TLS 1.3 support

On 20/11/2025 23:59, Jacob Champion wrote:
> On Thu, Nov 20, 2025 at 1:52 PM Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> PostgreSQL does support channel binding, with tls-server-end-point. I
>> believe that sufficient to prevent an attack like that.
> 
> No, IIRC unique bindings (-unique and -exporter) prevent MITM even if
> the attacker has the server's private key, as long as they do not also
> possess the SCRAM verifiers. tls-server-end-point does not prevent
> against that (so you can terminate TLS on a different node from the
> verifiers).

If I understood the incident correctly, the attacker managed to somehow 
obtain a valid TLS certificate for the victim domain. They used that to 
perform a MITM attack. They did not have the server's private key. (Or 
if they did, they did not use that for the attack).

That's an advantage in general though, even if it wouldn't have made a 
difference in this instance. So fair point.

- Heikki