On Wed, Apr 15, 2015 at 9:42 PM, Michael Paquier
<michael.paqu...@gmail.com> wrote:
> On Wed, Apr 15, 2015 at 9:20 PM, Michael Paquier
> <michael.paqu...@gmail.com> wrote:
>> On Wed, Apr 15, 2015 at 2:22 PM, Fujii Masao wrote:
>>> On Wed, Apr 15, 2015 at 11:55 AM, Michael Paquier wrote:
>>>> 1) Doc patch to mention that it is possible that compression can give
>>>> hints to attackers when working on sensible fields that have a
>>>> non-fixed size.
>>>
>>> I think that this patch is enough as the first step.
>>
>> I'll get something done for that at least, a big warning below the
>> description of wal_compression would do it.
So here is a patch for this purpose, with the following text being used:
+ <warning>
+ <para>
+ When enabling <varname>wal_compression</varname>, there is a risk
+ to leak data similarly to the BREACH and CRIME attacks on SSL where
+ the compression ratio of a full page image gives a hint of what is
+ the existing data of this page. Tables that contain sensitive
+ information like <structname>pg_authid</structname> with password
+ data could be potential targets to such attacks. Note that as a
+ prerequisite a user needs to be able to insert data on the same page
+ as the data targeted and need to be able to detect checkpoint
+ presence to find out if a compressed full page write is included in
+ WAL to calculate the compression ratio of a page using WAL positions
+ before and after inserting data on the page with data targeted.
+ </para>
+ </warning>
Comments and reformulations are welcome.
Regards,
--
Michael
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index b30c68d..2f61e29 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -2303,6 +2303,22 @@ include_dir 'conf.d'
but at the cost of some extra CPU spent on the compression during
WAL logging and on the decompression during WAL replay.
</para>
+
+ <warning>
+ <para>
+ When enabling <varname>wal_compression</varname>, there is a risk
+ to leak data similarly to the BREACH and CRIME attacks on SSL where
+ the compression ratio of a full page image gives a hint of what is
+ the existing data of this page. Tables that contain sensitive
+ information like <structname>pg_authid</structname> with password
+ data could be potential targets to such attacks. Note that as a
+ prerequisite a user needs to be able to insert data on the same page
+ as the data targeted and need to be able to detect checkpoint
+ presence to find out if a compressed full page write is included in
+ WAL to calculate the compression ratio of a page using WAL positions
+ before and after inserting data on the page with data targeted.
+ </para>
+ </warning>
</listitem>
</varlistentry>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
