On Sun, Jun 7, 2020 at 10:32:39AM +1000, Tim Cross wrote: > > Michel Pelletier <pelletier.michel@xxxxxxxxx> writes: > > > Hello, > > > > I'm the author of the pgsodium cryptography library. I have a question > > about a best practice I'm thinking of enforcing. Several functions in > > pgsodium generate secrets, I want to check the Proc info to enforce that > > those functions can only be called using a local domain socket or an ssl > > connection. If the connection isn't secure by that definition, secret > > generating functions will fail. > > > > If someone really wants to point the gun at their foot, they can connect > > with an unsecured proxy. My goal would be to make bypassing the check > > annoying. > > > > Any thoughts? Is this an insufferably rude attitude? Are there scenarios > > where one can foresee needing to generate secrets not over ssl or a domain > > socket? > > > > I'm never very fond of enforcing a particular behaviour as it assumes we > understand all environments and use cases. Far better to make this the > default behaviour, but allow users to disable it if they want and > clearly document that option as insecure. I also suspect that without > the ability to somehow disable the checks, people will find elaborate > ways to work around them which are almost certainly going to be even > worse from a security perspective. You also have to allow a way to disable it that is secure or it is useless, which makes it even more complex. -- Bruce Momjian <bruce@xxxxxxxxxx> https://momjian.us EnterpriseDB https://enterprisedb.com The usefulness of a cup is in its emptiness, Bruce Lee
