Обсуждение: ssl and/or md5 encryption

Hi:

   I specify md5 encryption in my pg_hba.conf file.  Would using SSL on
top of this be overkill?

Thanks

On Wed, Nov 30, 2005 at 08:24:34AM -0500, Colton A Smith wrote:
>   I specify md5 encryption in my pg_hba.conf file.  Would using SSL on
> top of this be overkill?

Specifying md5 in pg_hba.conf affects only password authentication;
everything else will be sent in cleartext.

What's your threat model?  What do you want to secure?  Just
authentication, or data transfer as well?

--
Michael Fuhr

On Wed, Nov 30, 2005 at 08:24:34 -0500,
  Colton A Smith <smith@cs.utk.edu> wrote:
>
>   I specify md5 encryption in my pg_hba.conf file.  Would using SSL on
> top of this be overkill?

md5 password hashing doesn't buy a whole lot.
If packet sniffing is a significant threat for you, you probably want to
consider forcing clients to use ssl.
If you have cpu cycles to burn, you probably also want to use it.