> It absolutely *does* have that requirement! If you need connection > security, do NOT use SCRAM without authenticated transport encryption. > Untrusted connection without TLS isn't part of the supported security > model, which is why strengthening SCRAM for those use cases is > discussed in public [1] rather than under a CVE fix.
I was referring to the rfc, as SCRAM explicitly allows non-TLS connections, it just recommends using it. Oauthbearer explicitly requires it. So allowing users to use scram on plaintext without warnings looks acceptable to me, but it's questionable for oauth. > But the communication with the server uses the Postgres model of > security, which unfortunately puts more requirements on end users. > ... > Since it was an explicit decision rather than an oversight, I think > you'd have a hard time overcoming the backport barrier without a > really strong consensus. I added another patch which is only a documentation improvement, that's the new 0001. The documentation is very clear about "password" being insecure over plaintext connections, but there's no such mention for oauth. This aims to fix that at all places where oauth is mentioned. This, or this together with the server side warning should be an improvement for all versions, even without the client side change. 0002 and 0003 are the previous patches unchanged. > so I'd like to strengthen > that for everybody who uses the server and not just OAuth users. What do you think about adding a similar server-side warning/info message for plaintext+password and ident too in 0003?
v3-0001-doc-warn-that-OAuth-over-plaintext-connections-is.patch
Description: Binary data
v3-0002-libpq-require-encrypted-connections-for-OAUTHBEAR.patch
Description: Binary data
v3-0003-Warn-when-OAuth-is-configured-on-plaintext-capabl.patch
Description: Binary data
