Michel Pelletier <pelletier.michel@xxxxxxxxx> writes: > Hello, > > I'm the author of the pgsodium cryptography library. I have a question > about a best practice I'm thinking of enforcing. Several functions in > pgsodium generate secrets, I want to check the Proc info to enforce that > those functions can only be called using a local domain socket or an ssl > connection. If the connection isn't secure by that definition, secret > generating functions will fail. > > If someone really wants to point the gun at their foot, they can connect > with an unsecured proxy. My goal would be to make bypassing the check > annoying. > > Any thoughts? Is this an insufferably rude attitude? Are there scenarios > where one can foresee needing to generate secrets not over ssl or a domain > socket? > I'm never very fond of enforcing a particular behaviour as it assumes we understand all environments and use cases. Far better to make this the default behaviour, but allow users to disable it if they want and clearly document that option as insecure. I also suspect that without the ability to somehow disable the checks, people will find elaborate ways to work around them which are almost certainly going to be even worse from a security perspective. -- Tim Cross
