Re: libpq compression (part 3)
От | Jacob Champion |
---|---|
Тема | Re: libpq compression (part 3) |
Дата | |
Msg-id | CAOYmi+kA94o-VUmpQfuJVqf5zt5vMLu0Rjskb_iHE4W3O8OicA@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: libpq compression (part 3) (Robert Haas <robertmhaas@gmail.com>) |
Ответы |
Re: libpq compression (part 3)
Re: libpq compression (part 3) |
Список | pgsql-hackers |
On Mon, May 20, 2024 at 11:37 AM Robert Haas <robertmhaas@gmail.com> wrote: > But if that's a practical > attack, preventing compression prior to the authentication exchange > probably isn't good enough I mean... you said it, not me. I'm trying not to rain on the parade too much, because compression is clearly very valuable. But it makes me really uncomfortable that we're reintroducing the compression oracle (especially over the authentication exchange, which is generally more secret than the rest of the traffic). > But, does this mean that we should just refuse to offer compression as > a feature? This kind of attack isn't a threat in every environment, > and in some environments, compression could be pretty useful. For > instance, you might need to pull down a lot of data from the database > over a slow connection. Perhaps you're the only user of the database, > and you wrote all of the queries yourself in a locked vault, accepting > no untrusted inputs. In that case, these kinds of attacks aren't > possible, or at least I don't see how, but you might want both > compression and encryption. Right, I think it's reasonable to let a sufficiently determined/informed user lift the guardrails, but first we have to choose to put guardrails in place... and then we have to somehow sufficiently inform the users when it's okay to lift them. > I guess I don't understand why TLS removed > support for encryption entirely instead of disclaiming its use in some > appropriate way. One of the IETF conversations was at [1] (there were dissenters on the list, as you might expect). My favorite summary is this one from Alyssa Rowan: > Compression is usually best performed as "high" as possible; transport layer is blind to what's being compressed, whichis (as we now know) was definitely too low and was in retrospect a mistake. > > Any application layer protocol needs to know - if compression is supported - to separate compression contexts for attacker-chosenplaintext and attacker-sought unknown secrets. (As others have stated, HTTPbis covers this.) But for SQL, where's the dividing line between attacker-chosen and attacker-sought? To me, it seems like only the user knows; the server has no clue. I think that puts us "lower" in Alyssa's model than HTTP is. As Andrey points out, there was prior work done that started to take this into account. I haven't reviewed it to see how good it is -- and I think there are probably many use cases in which queries and tables contain both private and attacker-controlled information -- but if we agree that they have to be separated, then the strategy can at least be improved upon. --Jacob [1] https://mailarchive.ietf.org/arch/msg/tls/xhMLf8j4pq8W_ZGXUUU1G_m6r1c/
В списке pgsql-hackers по дате отправления: