| While I am a security person, and I <3 Postgres, there are assumptions in this article that are false in this marketing masquerading as an article. > At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption. No, this is merely the ones that you can scan that are potentially identifiable as Postgres. You're missing a literal ton, and you are probably connecting to most of the PG honeypots in the world, and then making conclusions about the state of all Postgres. Congrats, you fell for a trap! > most popular SQL clients are more than happy to accept unencrypted connections without a warning This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases. While secure by default is a consideration, I'd dare say that the likely use-case is more so get Postgres running on a developer machine, connect to it locally, only! > Connections to servers with self-signed certificates are encrypted, but the certificates often do not confer trust: generally, they are neither issued nor validated by a certificate authority, they don’t expire, and they can’t be revoked. There is another giant assumption in this case, that a self-signed, enterprise, or private PKI is a bad one. Foremost it may be self-signed because that is the standard for honeypots. But the idea that self-signed is bad is not just false, it is actually wrong . Because many public PKIs, particularly ones adherent to CAB, are making trades that may be good for general use, but are very bad for specific other use-cases. To add to that, when you see a private PKI, an enterprise PKI, etc, you don't know if they can be revoked, or can't be revoked because you don't have access to the PKI internals, and you don't know them. I doubt many public CAs have the security characteristics I've seen in private PKIs around attack resistance, existence on multiple networks, splitting CA and VA functions, using high assurance functions for those interacting with the PKI, and willingness to invest in the correct hardware and proper staff to operate it. Most private PKIs distribute and configure trust stores as a part of an enterprise or govt function, but how they do that does not mean secure or insecure automatically. However, given that they are not configured to fail open like most of the internet, and much of the private PKIs are highly regulated, I cannot concur with the idea that private is bad. Some private PKIs are actually far more secure than public CAs because they are redundant in a way that Commercial CAs generally are not, given their mission to support Operational Technology, ICS/SCADA, among other things. Right now, the CAB forum has some pretty weak activities written into their procedures. 2FA phishing resistant MFA? NOPE! A CAB Forum CA recently admitted as much "we'd love to move to more secure authentication procedures but we are constrained by CAB". So, they are making insecure phone calls verifying things, creating certs based in part off a phone call. What a joke! Most of the article just touches on encryption, languages using TLS, and Authentication only. There is alot more to Postgres security than just AuthN, and there is no mention of the platform upon which it runs. For example there is the DISA STIG for Postgres [1] and a CIS Benchmark also [2] and a CIS Prehardened Image [3] for running it in the cloud There are lots of guides on automating this [4] There are even pre-secured Postgres databases with nifty security features [5] More than all of these references though, Postgres has a great community that is available on IRC [6] that is highly willing to help you work through some of these options for your own. Long ago I got a great deal of help when working on PG, and they are a truly awesome group. [1] https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_... && https://www.stigviewer.com/stig/postgresql_9.x/ [2] https://www.cisecurity.org/cis-benchmarks/ [3] https://www.cisecurity.org/cis-hardened-image-list/ [4] https://medium.com/hackernoon/automate-implementing-the-disa... [5] https://www.crunchydata.com/products/hardened-postgres [6] https://www.postgresql.org/community/irc/ |
Isn't that what 'default' means? When you have exceptions, you can change from the default.