Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-544

No downgrade protection for ed25519 client authentication

    XMLWordPrintable

    Details

      Description

      As discussed on this thread:
      https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/#comment-48934

      .. there is no existing downgrade protection on the client that could prevent a compromised server from forcing the client down to simple password auth and thereby stealing the long-term credentials.

      This defeats one of the stated goals:
      "With the goal that not the traffic sniffing, not the mysql.user table, not both together, not even a fully compromised server would be able to recover the password"

      A compromised server can downgrade the auth to simple password and thereby recover it on next client authentication.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              georg Georg Richter
              Reporter:
              Kenny Kenny Simpson
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration