Re: Commitfest 2021-11 Patch Triage - Part 2

[Andrey Borodin]

> On 11/10/21 16:54, Andrey Borodin wrote:
> 
>> Compression is crucial for highly available setups. Replication traffic is 
>> often billed. Or route has bandwidth limits.
>> An entropy added by WAL headers makes CRIME attack against replication 
>> encryption impractical.
> 
> I very much doubt WAL headers are a reliable protection against CRIME,
> because the entropy of the headers is likely fairly constant. So if you
> compress the WAL stream, the WAL headers may change but the compression
> ratio should be pretty similar. At least that's my guess.

I've thought more about it and I agree.
To reliably protect against CRIME entropy of WAL headers must be comparable 
with the entropy of possibly injected data.
If this would stand, probably, our WAL would need a really serious rework.

Maybe just refuse to enable compression on SSL connection? If someone really 
needs both - they will just patch a server on their own.
Or make a GUC "yes_i_kwow_what_crime_is_give_grant_read_on_my_data_to_spies".

Best regards, Andrey Borodin.