Unfortunately the clickbait headline does not convey the enormous streetlight-effect skew in the sample.
This article is essentially content marketing for a DBaaS company, for which the author appears to serve as CTO, to promote a alternative default configuration that favours their business model.
That's a strange take on the subject of db servers and ssl usage.
Most db servers shouldn't be accessible on internet, which skews the announced result a lot.
And, obviously, clients and servers generally won't require ssl by default, because it would make no sense in most situations. (but at least the 'prefer' default setting is mentionned)
Requiring a certificate to run the server isn't something that is likely to become the default setting for a while...
(co-author) - `prefer` is... not great. That'll silently fall back to an unencrypted connection without warning the user.
If you are the one using a programming library directly, you may know that `prefer` does this. If you are using a client that doesn't expose this to you, you may not know that you are using an unencrypted connection after you had set ssl on.
While I am a security person, and I <3 Postgres, there are assumptions in this article that are false in this marketing masquerading as an article.
> At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption.
No, this is merely the ones that you can scan that are potentially identifiable as Postgres. You're missing a literal ton, and you are probably connecting to most of the PG honeypots in the world, and then making conclusions about the state of all Postgres.
Congrats, you fell for a trap!
> most popular SQL clients are more than happy to accept unencrypted connections without a warning
This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases.
While secure by default is a consideration, I'd dare say that the likely use-case is more so get Postgres running on a developer machine, connect to it locally, only!
> Connections to servers with self-signed certificates are encrypted, but the certificates often do not confer trust: generally, they are neither issued nor validated by a certificate authority, they don’t expire, and they can’t be revoked.
There is another giant assumption in this case, that a self-signed, enterprise, or private PKI is a bad one. Foremost it may be self-signed because that is the standard for honeypots. But the idea that self-signed is bad is not just false, it is actually wrong . Because many public PKIs, particularly ones adherent to CAB, are making trades that may be good for general use, but are very bad for specific other use-cases.
To add to that, when you see a private PKI, an enterprise PKI, etc, you don't know if they can be revoked, or can't be revoked because you don't have access to the PKI internals, and you don't know them. I doubt many public CAs have the security characteristics I've seen in private PKIs around attack resistance, existence on multiple networks, splitting CA and VA functions, using high assurance functions for those interacting with the PKI, and willingness to invest in the correct hardware and proper staff to operate it. Most private PKIs distribute and configure trust stores as a part of an enterprise or govt function, but how they do that does not mean secure or insecure automatically. However, given that they are not configured to fail open like most of the internet, and much of the private PKIs are highly regulated, I cannot concur with the idea that private is bad.
Some private PKIs are actually far more secure than public CAs because they are redundant in a way that Commercial CAs generally are not, given their mission to support Operational Technology, ICS/SCADA, among other things.
Right now, the CAB forum has some pretty weak activities written into their procedures. 2FA phishing resistant MFA? NOPE! A CAB Forum CA recently admitted as much "we'd love to move to more secure authentication procedures but we are constrained by CAB". So, they are making insecure phone calls verifying things, creating certs based in part off a phone call. What a joke!
Most of the article just touches on encryption, languages using TLS, and Authentication only.
There is alot more to Postgres security than just AuthN, and there is no mention of the platform upon which it runs.
For example there is the DISA STIG for Postgres [1] and a CIS Benchmark also [2] and a CIS Prehardened Image [3] for running it in the cloud
There are lots of guides on automating this [4]
There are even pre-secured Postgres databases with nifty security features [5]
More than all of these references though, Postgres has a great community that is available on IRC [6] that is highly willing to help you work through some of these options for your own. Long ago I got a great deal of help when working on PG, and they are a truly awesome group.
inopinatus|3 years ago
This article is essentially content marketing for a DBaaS company, for which the author appears to serve as CTO, to promote a alternative default configuration that favours their business model.
koollman|3 years ago
_bohm|3 years ago
adam_gyroscope|3 years ago
If you are the one using a programming library directly, you may know that `prefer` does this. If you are using a client that doesn't expose this to you, you may not know that you are using an unencrypted connection after you had set ssl on.
chasil|3 years ago
All the SQL transit is cleartext by default.
A "wallet" can be defined for TLS, but the Oracle Instant Client doesn't (appear to) support this functionality.
I push all my local Oracle database links over stunnel.
Oracle SQL Developer even has an SSH pane, because wallets are so very unusable.
eric4smith|3 years ago
The pg_hba file goes out or it’s way to make it difficult to even connect locally easily.
Nevertheless you would do it so that your db server can be reached by the other machines.
Sigh.
I suppose not fire-walling everything would be someone’s own fault.
And not setting proper passwords.
And not turning on SSL.
beep_boop_beep_|3 years ago
OrvalWintermute|3 years ago
> At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption.
No, this is merely the ones that you can scan that are potentially identifiable as Postgres. You're missing a literal ton, and you are probably connecting to most of the PG honeypots in the world, and then making conclusions about the state of all Postgres.
Congrats, you fell for a trap!
> most popular SQL clients are more than happy to accept unencrypted connections without a warning
This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases.
While secure by default is a consideration, I'd dare say that the likely use-case is more so get Postgres running on a developer machine, connect to it locally, only!
> Connections to servers with self-signed certificates are encrypted, but the certificates often do not confer trust: generally, they are neither issued nor validated by a certificate authority, they don’t expire, and they can’t be revoked.
There is another giant assumption in this case, that a self-signed, enterprise, or private PKI is a bad one. Foremost it may be self-signed because that is the standard for honeypots. But the idea that self-signed is bad is not just false, it is actually wrong . Because many public PKIs, particularly ones adherent to CAB, are making trades that may be good for general use, but are very bad for specific other use-cases.
To add to that, when you see a private PKI, an enterprise PKI, etc, you don't know if they can be revoked, or can't be revoked because you don't have access to the PKI internals, and you don't know them. I doubt many public CAs have the security characteristics I've seen in private PKIs around attack resistance, existence on multiple networks, splitting CA and VA functions, using high assurance functions for those interacting with the PKI, and willingness to invest in the correct hardware and proper staff to operate it. Most private PKIs distribute and configure trust stores as a part of an enterprise or govt function, but how they do that does not mean secure or insecure automatically. However, given that they are not configured to fail open like most of the internet, and much of the private PKIs are highly regulated, I cannot concur with the idea that private is bad.
Some private PKIs are actually far more secure than public CAs because they are redundant in a way that Commercial CAs generally are not, given their mission to support Operational Technology, ICS/SCADA, among other things.
Right now, the CAB forum has some pretty weak activities written into their procedures. 2FA phishing resistant MFA? NOPE! A CAB Forum CA recently admitted as much "we'd love to move to more secure authentication procedures but we are constrained by CAB". So, they are making insecure phone calls verifying things, creating certs based in part off a phone call. What a joke!
Most of the article just touches on encryption, languages using TLS, and Authentication only.
There is alot more to Postgres security than just AuthN, and there is no mention of the platform upon which it runs.
For example there is the DISA STIG for Postgres [1] and a CIS Benchmark also [2] and a CIS Prehardened Image [3] for running it in the cloud
There are lots of guides on automating this [4]
There are even pre-secured Postgres databases with nifty security features [5]
More than all of these references though, Postgres has a great community that is available on IRC [6] that is highly willing to help you work through some of these options for your own. Long ago I got a great deal of help when working on PG, and they are a truly awesome group.
[1] https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_... && https://www.stigviewer.com/stig/postgresql_9.x/
[2] https://www.cisecurity.org/cis-benchmarks/
[3] https://www.cisecurity.org/cis-hardened-image-list/
[4] https://medium.com/hackernoon/automate-implementing-the-disa...
[5] https://www.crunchydata.com/products/hardened-postgres
[6] https://www.postgresql.org/community/irc/
outworlder|3 years ago
Isn't that what 'default' means? When you have exceptions, you can change from the default.
Areading314|3 years ago
imtringued|3 years ago
meken|3 years ago
levkk|3 years ago
According to Google, "insecure" means:
1. not firmly fixed; liable to give way or break. 2. (of a person) not confident or assured; uncertain and anxious.
and "unsecure":
1. (especially of a computer system) not protected against attack or other criminal activity. 2. (of a loan) unsecured.
tomrod|3 years ago