Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-544

No downgrade protection for ed25519 client authentication

    XMLWordPrintable

Details

    Description

      As discussed on this thread:
      https://mariadb.org/history-of-mysql-mariadb-authentication-protocols/#comment-48934

      .. there is no existing downgrade protection on the client that could prevent a compromised server from forcing the client down to simple password auth and thereby stealing the long-term credentials.

      This defeats one of the stated goals:
      "With the goal that not the traffic sniffing, not the mysql.user table, not both together, not even a fully compromised server would be able to recover the password"

      A compromised server can downgrade the auth to simple password and thereby recover it on next client authentication.

      Attachments

        Issue Links

          Activity

            People

              georg Georg Richter
              Kenny Kenny Simpson
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.