Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25-6-2018 12:26, Dimitry Sibiryakov wrote: 25.06.2018 12:22, Alex Peshkoff via Firebird-devel wrote:   This attack does not depend on plugin name knowledge. If one is using legacy plugin no need to try >8 chars passwords.   This is prevented by timeout after 3 unsuccessful logins. You

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25-6-2018 10:35, Alex Peshkoff via Firebird-devel wrote: On 25.06.2018 10:47, Mark Rotteveel wrote: On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote: Because it's bad idea to open to client (specially not authenticated) details of problems with authentication. I agree with that

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

25.06.2018 12:29, Tony Whyman wrote: There is nothing theoretical about brute force attacks. They always work, the only issue how long they take. Look at my answer to Alex. This is topic about replacing error "shit happen" with something useful for diagnostic. -- WBR, SD.

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25/06/18 11:17, Dimitry Sibiryakov wrote: 25.06.2018 11:29, Tony Whyman wrote: Even if it were still computationally infeasible to break Srp today, it is probably that in the next few years it will be totally broken.   You missed my words "non-theoretical". There is nothing theoretical

Re: [Firebird-devel] Passing plugin list to native client

On 25-6-2018 10:32, Alex Peshkoff via Firebird-devel wrote: On 25.06.2018 10:51, Mark Rotteveel wrote: On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote: Because it's as designed. What problems with it? Having to construct the config string is awkward, especially when you already

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25.06.2018 13:17, Dimitry Sibiryakov wrote: 25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote: Bruteforce passwords over the wire. We are still missing any passwords regulation (like min.length, UP/low letters, etc.) i.e. people can use passwords like 'pass' and such things can be

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

25.06.2018 11:14, Alex Peshkoff via Firebird-devel wrote: Bruteforce passwords over the wire. We are still missing any passwords regulation (like min.length, UP/low letters, etc.) i.e. people can use passwords like 'pass' and such things can be bruteforced. This attack does not depend on

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

25.06.2018 11:29, Tony Whyman wrote: Even if it were still computationally infeasible to break Srp today, it is probably that in the next few years it will be totally broken. You missed my words "non-theoretical". -- WBR, SD.

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25/06/18 10:14, Alex Peshkoff via Firebird-devel wrote: On 25.06.2018 12:02, Dimitry Sibiryakov wrote: 25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote: Afraid you are wrong here. It helps an attacker to detect what plugin is actually used by server (for example - srp or srp256)

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25/06/18 10:02, Dimitry Sibiryakov wrote: 25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote: Afraid you are wrong here. It helps an attacker to detect what plugin is actually used by server (for example - srp or srp256) and use that info to attack particular plugin later.   Does

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25.06.2018 12:02, Dimitry Sibiryakov wrote: 25.06.2018 10:35, Alex Peshkoff via Firebird-devel wrote: Afraid you are wrong here. It helps an attacker to detect what plugin is actually used by server (for example - srp or srp256) and use that info to attack particular plugin later.   Does

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 25.06.2018 10:47, Mark Rotteveel wrote: On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote: On 23.06.2018 17:06, Mark Rotteveel wrote: Why is an authentication plugin mismatch (as in the list of plugins between client and server have no overlap) not clearly communicated to the

Re: [Firebird-devel] Passing plugin list to native client

On 25.06.2018 10:51, Mark Rotteveel wrote: On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote: On 23.06.2018 19:05, Mark Rotteveel wrote: When using the native fbclient, why can't I use isc_dpb_auth_plugin_list/isc_spb_auth_plugin_list to pass the authentication plugins to try, and

Re: [Firebird-devel] Passing plugin list to native client

On 2018-06-24 20:51, Alex Peshkoff via Firebird-devel wrote: On 23.06.2018 19:05, Mark Rotteveel wrote: When using the native fbclient, why can't I use isc_dpb_auth_plugin_list/isc_spb_auth_plugin_list to pass the authentication plugins to try, and why do I need to use the

Re: [Firebird-devel] Authentication plugin mismatch not clearly reported to client

On 2018-06-24 20:49, Alex Peshkoff via Firebird-devel wrote: On 23.06.2018 17:06, Mark Rotteveel wrote: Why is an authentication plugin mismatch (as in the list of plugins between client and server have no overlap) not clearly communicated to the client? For example if I have AuthServer =

Re: [Firebird-devel] Smart end of statement detection in ISQL

Adriano dos Santos Fernandes wrote Sun, 24 Jun 2018 21:09:21 +0300: Not touching the algorithm AUTOTERM. This functionality would be useful. Moreover, some IDEs for Firebird successfully solve this problem, for example IB Expert. Although perhaps this is not cheap. -- Simonov Denis