The Majority of PostgreSQL Servers on the Internet Are Insecure
29 comments·October 4, 2022
I think the announced results are specifically referring to servers available on the internet.
That's GP's point, that's already a 'smell' (in the strict 'hm, that seems suspiciously like it might not be right' sense).
(co-author) - `prefer` is... not great. That'll silently fall back to an unencrypted connection without warning the user.
If you are the one using a programming library directly, you may know that `prefer` does this. If you are using a client that doesn't expose this to you, you may not know that you are using an unencrypted connection after you had set ssl on.
do you understand that Postgres devs have been all over this since (likely) the time you were born? The conventional, real and actual servers that matter are generally not at all visible on the Internet, period. Because they know this.. its like this paper tests servers that dont care, and declare the entire product unsecure. Bad take, scare-mongering
Who cares though? All connections to SQL servers are going to be localhost or over a VPN, if your setup for postgres has a SSL certificate you're doing something terribly wrong to begin with. I'm not even sure why the option exists to begin with, there's no use case.
> if your setup for postgres has a SSL certificate you're doing something terribly wrong to begin with.
No, that's a bad take. We should encrypt everything. The reasoning for not doing so in the past was computing power. Nowadays, that's really not a problem. Even my personal servers in my home network are all operating with encrypted links - because why the heck not? At work, everything that can be encrypted is encrypted, otherwise it's a bug. Even if currently 'there's no way' for attackers to get to that particular network. Emphasis on "currently". We shouldn't be a compromise away from leaking everything. Defense in depth.
Plus, the more you are familiar with setting up encryption, the less tempted you are going to be to cut corners when you are setting up something that's at a higher risk.
Many places have security policies that require all traffic to be encrypted, even over local networks.
Still, Oracle is the worst.
All the SQL transit is cleartext by default.
A "wallet" can be defined for TLS, but the Oracle Instant Client doesn't (appear to) support this functionality.
I push all my local Oracle database links over stunnel.
Oracle SQL Developer even has an SSH pane, because wallets are so very unusable.
> This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases.
Isn't that what 'default' means? When you have exceptions, you can change from the default.
Default highly secure is not always the best option when it may severely conflict with usability, or require significant amounts of labor to instantiate.
If the key intention for a downloadable Postgresql is developer productivity, and the intended environment is local on a laptop communicating to a client local there too, then this would make alot more sense.
That sounds like a very good reason to add another security layer like client certificate authentication.
Not really. Most of the time setting up a segregated network architecture is actually easier than dealing with encrypted database connections -- certificate management is by nature dynamic vs. the static nature of a secure network
According to Google, "insecure" means:
1. not firmly fixed; liable to give way or break. 2. (of a person) not confident or assured; uncertain and anxious.
1. (especially of a computer system) not protected against attack or other criminal activity. 2. (of a loan) unsecured.
Google doesn't source its definition, but all reputable dictionaries I could find disagree:
https://www.merriam-webster.com/dictionary/insecure definition 3, https://dictionary.cambridge.org/dictionary/english/insecure definition 2, https://www.collinsdictionary.com/dictionary/english/insecur... definition 2, https://www.oxfordlearnersdictionaries.com/definition/englis... definition 2
Dictionaries have also by and large given up on prescriptivism. The correct use of language is the way language is being used, with dictionaries trailing and recording consensus reality, not defining it.
Google's dictionary is sourced from Oxford Languages, at least for the English dictionary .