[QGIS-Developer] SSL Performance Overhead

Stefan Steiger Steiger at cor-management.ch
Tue Jun 18 05:15:28 PDT 2019


Uh, ah, yea, also, sending a password for a DB-user over the intranet-network in plain text is rather bad. 
While the data retrieved from the DB might not be confidential, maybe there is confidential data in the db. 
Also, the login used could have permissions onto another DB that has confidential data inside. 

In my opinion, the default should be SSL, including in intranet.  
If anybody changes the default for performance reasons, they can, and correspondingly, the blame will be theirs if anything happens. 
Nowadays, we use SSL even in development. 
Just my 0.05 $


-----Ursprüngliche Nachricht-----
Von: QGIS-Developer [mailto:qgis-developer-bounces at lists.osgeo.org] Im Auftrag von Bernhard Ströbl
Gesendet: Montag, 17. Juni 2019 15:31
An: qgis-developer at lists.osgeo.org
Betreff: Re: [QGIS-Developer] SSL Performance Overhead

Hi all,

I have to add that we use SSL to encrypt the user credentials as we use LDAP to authentificate users at the database. So SSL is not only relevant looking at data stored in the database.
Bernhard

Am 17.06.2019 um 13:56 schrieb Andreas Neumann:
> Hi Stefan,
> 
> Yes, sure. If I were a bank or the national bank I would also mandate 
> use of SSL. Also, when personal data is involved. But many gov 
> authorities have primarily publically available geoinformation (object 
> data, no personal data) in their DBs and no sensitive data.
> 
> We are just discussing the defaults, anyone can enable SSL if it is 
> useful or required in their usage scenario.
> 
> Andreas
> 
> On 2019-06-17 13:20, Stefan Steiger wrote:
> 
>> One of our customers (Swiss National Bank) mandates the use of SSL in 
>> their internal LAN, even for DB connections.
>>
>> Using anything but SSL is an insecure mode of communication, even in LAN.
>>
>> RSA/DSA Accepted key-length is 2048 bit, recommended is 3072, ECC is
>> 160 Bit, recommended 256.
>>
>> -Only latest version of OpenSSL allowed
>>
>> -Accepted TLS 1.1+, recommended TLS 1.2+
>>
>> -SSL Version 3.0 or older are explicitly forbidden
>>
>> -Sha-1 is disallowed, sha2/3 accepted @ hash length 256 Bit
>>
>> -Extended Validation certificates have to be used
>>
>> -Wildcards in fully qualified names not allowed
>>
>> -Accepted: CTR/CBC/CCM/EAX, recommended GCM
>>
>> -SSL accepted with forward secrecy Disabled, recommended Enabled
>>
>> -Recommended CryptRandom: /dev/random, /dev/urandom,
>>
>> as per IT Security Baseline 2017-07-20
>>
>> *Von:*QGIS-Developer [mailto:qgis-developer-bounces at lists.osgeo.org]
>> *Im Auftrag von *Andreas Neumann
>> *Gesendet:* Montag, 17. Juni 2019 09:05
>> *An:* Matthias Kuhn <matthias at opengis.ch>
>> *Cc:* qgis-developer at lists.osgeo.org
>> *Betreff:* Re: [QGIS-Developer] SSL Performance Overhead
>>
>> Hi,
>>
>> I would say, that the use of SSL should be encouraged if the 
>> connection goes through public networks. If the Postgis connection is 
>> within the company LAN I don't see a strong reason for enabling SSL, 
>> unless the company LAN is designed in an "unsafe" way, or if 
>> sensitive data must be hidden from other employees in the same company.
>>
>> Personally, I never had good results (performance wise) if Postgis 
>> connections went through the public Internet, unless it is some "toy 
>> data".
>>
>> For this reason, I usually used streaming replication to replicate 
>> Postgis, so it is as close as possible to the users who need the data.
>> The streaming replication, if it goes through the public internet, of 
>> course should use SSL (or often it goes through an SSH tunnel).
>>
>> Sorry, I don't have any data on the overhead of SSL connections though.
>>
>> Andreas
>>
>> On 2019-06-17 08:48, Matthias Kuhn wrote:
>>
>>     Hi,
>>
>>     The documentation currently promises "massive speed-ups in PostGIS
>>     layer rendering" with SSL disabled. [1
>>     
>> <https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/
>> opening_data.html#creating-a-stored-connection>]
>>
>>     I find some references to performance cost of SSL but they should
>>     be compensated for with connection pooling which we use for quite
>>     some time already.
>>
>>     Recently, the web is more and more encrypted - and that is very
>>     good! - so I think we should also start to encourage people to
>>     encrypt their SSL connections. Or at least certainly not
>>     discourage them from using encryption by promising performance
>>     benefits.
>>
>>     Is there anyone who knows why this sentence was introduced? And if
>>     there is (still) an issue with performance when using SSL?
>>
>>     Best regards
>>
>>     Matthias
>>
>>     [1]
>>     https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/opening_data.html#creating-a-stored-connection
>>     
>> <https://docs.qgis.org/2.18/en/docs/user_manual/managing_data_source/
>> opening_data.html#creating-a-stored-connection>
>>
>>     [2] https://github.com/qgis/QGIS-Documentation/pull/3840
>>
>>     _______________________________________________
>>     QGIS-Developer mailing list
>>     QGIS-Developer at lists.osgeo.org <mailto:QGIS-Developer at lists.osgeo.org>
>>     List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>     Unsubscribe: 
>> https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
> 
> 
> 
> __________ Information from ESET Mail Security, version of virus 
> signature database 19536 (20190617) __________
> 
> The message was checked by ESET Mail Security.
> http://www.eset.com
> 
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> 





__________ Information from ESET Mail Security, version of virus signature database 19537 (20190617) __________

The message was checked by ESET Mail Security.
http://www.eset.com


_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


More information about the QGIS-Developer mailing list