Re: [HACKERS] Some thoughts about SCRAM implementation

On 04/12/2017 11:22 AM, Magnus Hagander wrote:

On Wed, Apr 12, 2017 at 3:25 AM, Bruce Momjian <bruce@momjian.us> wrote:

And which enterprises are using SSL without certificates?  And I thought
channel binding required certificates anyway, e.g.:

        https://en.wikipedia.org/wiki/Salted_Challenge_Response_
Authentication_Mechanism#Channel_binding

        For instance, for the tls-server-end-point channel binding, it is
the
        server's TLS certificate.

AFAIK it does require the TLS certifificates, but it does not require TLS
certificate *validation*. You can use channel binding with just self-signed
certs.

tls-server-end-point channel binding type relies on certificates. But SCRAM uses "tls-unique" by default, and it does not use certificates. It's a bit weird that the wikipedia article uses tls-server-end-point as the example, I don't know why anyone would use tls-server-end-point with SCRAM.

That said, I stand by my comment that I don't think it's the enterprises
that need or want the channel binding. If they care about it, they have
already put certificate validation in place, and it won't buy them anything.

Because channel binding also only secures the authentication (SCRAM), not
the actual contents and commands that are then sent across the channel,
AFAIK?

TLS protects the contents and the commands. The point of channel binding is to defeat a MITM attack, where the client connects to a malicious server, using TLS, which then connects to the real server, using another TLS connection. Channel binding will detect that the client and the real server are not communicating over the same TLS connection, but two different TLS connections, and make the authentication fail.

SSL certificates, with validation, achieves the same, but channel binding achieves it without the hassle of certificates.