This article is essentially content marketing for a DBaaS company, for which the author appears to serve as CTO, to promote a alternative default configuration that favours their business model.
If you are the one using a programming library directly, you may know that `prefer` does this. If you are using a client that doesn't expose this to you, you may not know that you are using an unencrypted connection after you had set ssl on.
All the SQL transit is cleartext by default.
A "wallet" can be defined for TLS, but the Oracle Instant Client doesn't (appear to) support this functionality.
I push all my local Oracle database links over stunnel.
Oracle SQL Developer even has an SSH pane, because wallets are so very unusable.
The pg_hba file goes out or it’s way to make it difficult to even connect locally easily.
Nevertheless you would do it so that your db server can be reached by the other machines.
Sigh.
I suppose not fire-walling everything would be someone’s own fault.
And not setting proper passwords.
And not turning on SSL.
> At most 15% of the approximately 820,000 PostgreSQL servers listening on the Internet require encryption.
No, this is merely the ones that you can scan that are potentially identifiable as Postgres. You're missing a literal ton, and you are probably connecting to most of the PG honeypots in the world, and then making conclusions about the state of all Postgres.
Congrats, you fell for a trap!
> most popular SQL clients are more than happy to accept unencrypted connections without a warning
This is a configurable item, and the idea that everything should always be encrypted all the time may not be true for various use-cases.
While secure by default is a consideration, I'd dare say that the likely use-case is more so get Postgres running on a developer machine, connect to it locally, only!
> Connections to servers with self-signed certificates are encrypted, but the certificates often do not confer trust: generally, they are neither issued nor validated by a certificate authority, they don’t expire, and they can’t be revoked.
There is another giant assumption in this case, that a self-signed, enterprise, or private PKI is a bad one. Foremost it may be self-signed because that is the standard for honeypots. But the idea that self-signed is bad is not just false, it is actually wrong . Because many public PKIs, particularly ones adherent to CAB, are making trades that may be good for general use, but are very bad for specific other use-cases.
To add to that, when you see a private PKI, an enterprise PKI, etc, you don't know if they can be revoked, or can't be revoked because you don't have access to the PKI internals, and you don't know them. I doubt many public CAs have the security characteristics I've seen in private PKIs around attack resistance, existence on multiple networks, splitting CA and VA functions, using high assurance functions for those interacting with the PKI, and willingness to invest in the correct hardware and proper staff to operate it. Most private PKIs distribute and configure trust stores as a part of an enterprise or govt function, but how they do that does not mean secure or insecure automatically. However, given that they are not configured to fail open like most of the internet, and much of the private PKIs are highly regulated, I cannot concur with the idea that private is bad.
Some private PKIs are actually far more secure than public CAs because they are redundant in a way that Commercial CAs generally are not, given their mission to support Operational Technology, ICS/SCADA, among other things.
Right now, the CAB forum has some pretty weak activities written into their procedures. 2FA phishing resistant MFA? NOPE! A CAB Forum CA recently admitted as much "we'd love to move to more secure authentication procedures but we are constrained by CAB". So, they are making insecure phone calls verifying things, creating certs based in part off a phone call. What a joke!
Most of the article just touches on encryption, languages using TLS, and Authentication only.
There is alot more to Postgres security than just AuthN, and there is no mention of the platform upon which it runs.
For example there is the DISA STIG for Postgres [1] and a CIS Benchmark also [2] and a CIS Prehardened Image [3] for running it in the cloud
There are lots of guides on automating this [4]
There are even pre-secured Postgres databases with nifty security features [5]
More than all of these references though, Postgres has a great community that is available on IRC [6] that is highly willing to help you work through some of these options for your own. Long ago I got a great deal of help when working on PG, and they are a truly awesome group.
[1] https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PGS_... && https://www.stigviewer.com/stig/postgresql_9.x/
[2] https://www.cisecurity.org/cis-benchmarks/
[3] https://www.cisecurity.org/cis-hardened-image-list/
[4] https://medium.com/hackernoon/automate-implementing-the-disa...
Isn't that what 'default' means? When you have exceptions, you can change from the default.
If the key intention for a downloadable Postgresql is developer productivity, and the intended environment is local on a laptop communicating to a client local there too, then this would make alot more sense.
According to Google, "insecure" means:
1. not firmly fixed; liable to give way or break. 2. (of a person) not confident or assured; uncertain and anxious.
and "unsecure":
1. (especially of a computer system) not protected against attack or other criminal activity. 2. (of a loan) unsecured.
https://www.merriam-webster.com/dictionary/insecure definition 3, https://dictionary.cambridge.org/dictionary/english/insecure definition 2, https://www.collinsdictionary.com/dictionary/english/insecur... definition 2, https://www.oxfordlearnersdictionaries.com/definition/englis... definition 2
Dictionaries have also by and large given up on prescriptivism. The correct use of language is the way language is being used, with dictionaries trailing and recording consensus reality, not defining it.
