On Sun, Oct 21, 2012 at 09:55:50AM +0200, Magnus Hagander wrote: > I don't see a problem at all with providing the snakeoil cert. In > fact, it's quite useful. > > I see a problem with enabling it by default. Because it makes people > think they are more secure than they are.
So, what you're suggesting is that any use of ssl to a remote machine without the sslrootcert option should generate a warning. Something along the lines of "remote server not verified"? For completeness it should also show this for any non-SSL connection. libpq should export a "serververified" flag which would be false always unless the connection is SSL and the CA is verified . > In a browser, they will get a big fat warning every time, so they will > know it. There is no such warning in psql. Actually, maybe we should > *add* such a warning. We could do it in psql. We can't do it in libpq > for everyone, but we can do it in our own tools... Particularly since > we do print the SSL information already - we could just add a > "warning: cert not verified" or something like that to the same piece > of information. It bugs me every time you have to jump through hoops and get red warnings for an unknown CA, whereas no encryption whatsoever is treated as fine while being actually even worse. Transport encryption is a *good thing*, we should be encouraging it wherever possible. If it wern't for the performance issues I'd suggest defaulting to SSL everywhere transparently with ephemeral certs. It would protect against any number of passive attacks. Have a nice day, -- Martijn van Oosterhout <klep...@svana.org> http://svana.org/kleptog/ > He who writes carelessly confesses thereby at the very outset that he does > not attach much importance to his own thoughts. -- Arthur Schopenhauer
signature.asc
Description: Digital signature