Unfortunately the clickbait headline does not convey the enormous streetlight-effect skew in the sample.
This article is essentially content marketing for a DBaaS company, for which the author appears to serve as CTO, to promote a alternative default configuration that favours their business model.
That's a strange take on the subject of db servers and ssl usage.
Most db servers shouldn't be accessible on internet, which skews the announced result a lot.
And, obviously, clients and servers generally won't require ssl by default, because it would make no sense in most situations. (but at least the 'prefer' default setting is mentionned)
Requiring a certificate to run the server isn't something that is likely to become the default setting for a while...
(co-author) - `prefer` is... not great. That'll silently fall back to an unencrypted connection without warning the user.
If you are the one using a programming library directly, you may know that `prefer` does this. If you are using a client that doesn't expose this to you, you may not know that you are using an unencrypted connection after you had set ssl on.
do you understand that Postgres devs have been all over this since (likely) the time you were born? The conventional, real and actual servers that matter are generally not at all visible on the Internet, period. Because they know this.. its like this paper tests servers that dont care, and declare the entire product unsecure. Bad take, scare-mongering
Who cares though? All connections to SQL servers are going to be localhost or over a VPN, if your setup for postgres has a SSL certificate you're doing something terribly wrong to begin with. I'm not even sure why the option exists to begin with, there's no use case.
> if your setup for postgres has a SSL certificate you're doing something terribly wrong to begin with.
No, that's a bad take. We should encrypt everything. The reasoning for not doing so in the past was computing power. Nowadays, that's really not a problem. Even my personal servers in my home network are all operating with encrypted links - because why the heck not? At work, everything that can be encrypted is encrypted, otherwise it's a bug. Even if currently 'there's no way' for attackers to get to that particular network. Emphasis on "currently". We shouldn't be a compromise away from leaking everything. Defense in depth.
Plus, the more you are familiar with setting up encryption, the less tempted you are going to be to cut corners when you are setting up something that's at a higher risk.
A VPN generally connects networks, so that’s probably overkill for a database connection, but sure you could use one. Or something like stunnel, etc. or you could just use the built in feature already in Postgres. Why such resistance to simply having this option?
While I am a security person, and I <3 Postgres, there are assumptions in this article that are false in this marketing masquerading as an article.
> At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption.
No, this is merely the ones that you can scan that are potentially identifiable as Postgres. You're missing a literal ton, and you are probably connecting to most of the PG honeypots in the world, and then making conclusions about the state of all Postgres.
Congrats, you fell for a trap!
> most popular SQL clients are more than happy to accept unencrypted connections without a warning
This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases.
While secure by default is a consideration, I'd dare say that the likely use-case is more so get Postgres running on a developer machine, connect to it locally, only!
> Connections to servers with self-signed certificates are encrypted, but the certificates often do not confer trust: generally, they are neither issued nor validated by a certificate authority, they don’t expire, and they can’t be revoked.
There is another giant assumption in this case, that a self-signed, enterprise, or private PKI is a bad one. Foremost it may be self-signed because that is the standard for honeypots. But the idea that self-signed is bad is not just false, it is actually wrong . Because many public PKIs, particularly ones adherent to CAB, are making trades that may be good for general use, but are very bad for specific other use-cases.
To add to that, when you see a private PKI, an enterprise PKI, etc, you don't know if they can be revoked, or can't be revoked because you don't have access to the PKI internals, and you don't know them. I doubt many public CAs have the security characteristics I've seen in private PKIs around attack resistance, existence on multiple networks, splitting CA and VA functions, using high assurance functions for those interacting with the PKI, and willingness to invest in the correct hardware and proper staff to operate it. Most private PKIs distribute and configure trust stores as a part of an enterprise or govt function, but how they do that does not mean secure or insecure automatically. However, given that they are not configured to fail open like most of the internet, and much of the private PKIs are highly regulated, I cannot concur with the idea that private is bad.
Some private PKIs are actually far more secure than public CAs because they are redundant in a way that Commercial CAs generally are not, given their mission to support Operational Technology, ICS/SCADA, among other things.
Right now, the CAB forum has some pretty weak activities written into their procedures. 2FA phishing resistant MFA? NOPE! A CAB Forum CA recently admitted as much "we'd love to move to more secure authentication procedures but we are constrained by CAB". So, they are making insecure phone calls verifying things, creating certs based in part off a phone call. What a joke!
Most of the article just touches on encryption, languages using TLS, and Authentication only.
There is alot more to Postgres security than just AuthN, and there is no mention of the platform upon which it runs.
For example there is the DISA STIG for Postgres [1] and a CIS Benchmark also [2] and a CIS Prehardened Image [3] for running it in the cloud
There are lots of guides on automating this [4]
There are even pre-secured Postgres databases with nifty security features [5]
More than all of these references though, Postgres has a great community that is available on IRC [6] that is highly willing to help you work through some of these options for your own. Long ago I got a great deal of help when working on PG, and they are a truly awesome group.
Default highly secure is not always the best option when it may severely conflict with usability, or require significant amounts of labor to instantiate.
If the key intention for a downloadable Postgresql is developer productivity, and the intended environment is local on a laptop communicating to a client local there too, then this would make alot more sense.
Not really. Most of the time setting up a segregated network architecture is actually easier than dealing with encrypted database connections -- certificate management is by nature dynamic vs. the static nature of a secure network
Dictionaries have also by and large given up on prescriptivism. The correct use of language is the way language is being used, with dictionaries trailing and recording consensus reality, not defining it.
This article is essentially content marketing for a DBaaS company, for which the author appears to serve as CTO, to promote a alternative default configuration that favours their business model.