SSL PosgreSQL

Thom_McGrath · May 17, 2024, 9:47pm

Yes, SSL connections are secure. But that’s not the only security to worry about. If somebody gets your credentials - which will be in your app no matter what you do - they can establish a secure connection on their own, authenticate using those stolen credentials, and do whatever they like.

Rick_Araujo · May 17, 2024, 11:04pm

Supabase is not just a Postgresql, it comes with extra layers of security (yes, the users can make a mess if they don’t read the docs and understand the concepts)

Basically you can distribute a public key (anon key) inside your app that someone can figure out. That key will let that person to connect… and do nothing… Because you had set the system in such way using RLS (Row Level Security) that the public schema is empty and the anon user can’t do anything except trying to change to the authenticated mode (user logged) using several ways available to do so, and none exposing credentials hardcoded in the app.

And yes, it has also REST APIs available too. People can build powerful and secure things IF THEY KNOW how to do, because they simply can go the easy route of setting an unsafe environment and connect as a super user with hardcoded credentials in an all open public schema and the gates of the hell are open.

As I said before, it’s interesting to explore this tool as it has a free tier. I haven’t, I just know the basics of it, but it has security certifications and seems worth to explore.

C_P · May 17, 2024, 11:11pm

Sure but u will agree that that can happen with any credentials, passwords, connections, and more right?

See my point is that not because in the past we were told not to do something for security reasons ( i.e. direct connection to the db), that recommendation still stand now a days with the advancements in tech.

Also the credentials do not need to be store in the app but use other secret mechanisms like vault, akeyless or anything that makes u happy.

If u r telling me that a direct connection to a db over ssl is not a good practice the why connecting to a website or a bank or a secret manager is? Credentials can be leak and exposure can happen. It is not that i am connecting to my db using a plain connection. If that was the case i get it. But is not.

Security has changed and it will continue to change for good (not perfect and not impenetrable but good). I could be wrong.

Now i feel the conversation is getting off topic but nothing wrong with learning.

Rick_Araujo · May 17, 2024, 11:22pm

No need to be so defiant. Tim and Thom are respected members, and generally speaking, based on a PostgreSQL server, they are completely correct. Be a bit humble and explain your views more deeply with a better tone.

Thom_McGrath · May 17, 2024, 11:25pm

Correct. That’s why the API middleware you put in between controls what can actually happen to the database. The database credentials are never available to the client at all.

One way or another, the credentials are in memory at some point.

SSL is not in question here. SSL is good. It defends you against MITM attacks. That has nothing to do with access control, which is what the “don’t connect to your database” advise is about.

That sounds great. I still wouldn’t directly connect.

Rick_Araujo · May 17, 2024, 11:28pm

And I am ok with your option.

C_P · May 17, 2024, 11:52pm

No need to be so defiant.

Defiant because I am expressing what I believe? Would you then also call the others defiant including yourself?

Tim and Thom are respected members

Sure Tim and Thom are respected members (don’t know them personally but have helped me with some of my questions) and i don’t believe i have disrespected them at all. Respected does not mean I don’t get to voice my opinion on the comments they make. I believe I am respectful on my comments. Can you point me to any comments where you believe i was disrespectful so i can learn not to be disrespectful?

Be a bit humble and explain your views more deeply with a better tone.

Humble? I do not know many of the things for Xojo so i am asking. I don’t pretend to know everything and also don’t tell people how to do things. It depends on the requirements and i can only give suggestions which i have not done to any questions yet. Not sure how i should take this comment of being humble.

I believe i explained what i need help with (because i do not know alot of how xojo works) and by the way the question took a turn for this. Also i explain what i meant with SSL and directly connecting to postgre DB. Maybe you have any questions on what I said? i will be happy to answer them if this will help my original issue.

Better tone? I learned not to impose any tone to any written communication. We are often wrong when we put a tone to anything someone writes especially when you do not see the person mannerisms or face expressions. My tone I believe is ok and i also believe i have been respectful. I am not offended and also not mad, in the contrary I am truly grateful to people’s responses when they directly answer the original question and get me out of my ignorance when it comes to Xojo.

Thank you for voicing your opinion and helping me with this question Rick.

C_P · May 18, 2024, 12:27am

Before i comment I want to make sure my tone is neutral, I am not being disrespectful to you Thom or anyone here i the site.

Thom just like anything backend services are not your forever security shield where you can feel protected and think that nothing is going to happen (not what you said, i am saying it because i believe many people think that way and it is ok. They are free to think whatever they want).

In my experience backend services can run into the same issue as connecting directly to the db. Both use SSL to connect both run MITM risks both (if you know the basic of security) can obscure credentials but that does not mean they are not impenetrable. If you are ok with backend services why not with directly connect to a DB over SSL (plus other goodies for security that includes - rbac, row level security, ip filtering, auth, etc)?

With all due respect, SSL was the original question. i believe that is my question and that is how we got here because even with SSL some people disagree with a direct connection to a db. Yes be secured (security should be priority at all times especially if you own your own company) but also yes lets update ourselves with the new security technologies and understand them well so we can give sound advice to others. (this is not directed to anyone in specific)

See again my point, some of us were thought that a direct connection to a db is bad and not a best practice and that is ok Some of us even with the latest advancements in security will still not do it and when they hear people doing it may not agree and that is ok. It just does not matter how secure one thing can be some of us are staying within our believes and that is ok.

Thank you for your responses and for your answer sir.

C_P · May 18, 2024, 1:03am

Ok, back to the original question…

AlbertoD:

First a warning: I haven’t used Supabase, I haven’t used their SSL.

What happens if you comment out this line:
//pgre.SSLCertificate = f
My guess is that you are downloading a server certificate and trying to use it as a client certificate. As said before, I don’t know Supabase so I’m probably wrong.

I hope someone that uses Supabase and the SSL option can give you better information.

Thank you Alberto. If i remove the line that you specified in your comment, the connection works. I left the mode to:

pgre.SSLMode = PostgreSQLDatabase.SSLAllow and even when i change it to db.SSLMode = PostgreSQLDatabase.SSLRequire it works.

This is weird because i have the option below turn on in Supabase…

Enforce SSL on incoming connections - Reject non-SSL connections to your database

this means that Xojo some how is providing a “secure” connection to supabase or there is a bug with supabase?

Will keep on looking for what is the right approach. Again Thank you Alberto.

Thom_McGrath · May 18, 2024, 1:43am

Ok. You’re just not getting my point. SSL is a good thing, but doesn’t help you at all with access control. They are two different aspects of security. SSL handles data integrity. Authentication handles permission. An API handles permission by not including malicious code in the first place. It’s not just relaying SQL commands. That would be completely pointless. It takes a request, say to delete an item from a shopping cart, and checks to make sure the user has permission to edit the shopping cart in question, the cart has the items to delete, and if all else passes will issue the SQL statements to do the work. The client knows nothing of the database. You could switch database engines entirely, and the client would never know. It doesn’t even have to be a database, it could be a collection of text files on a server. That would be a bad idea, but still possible.

Again, SSL is good and you would use it between your app and the API, but it still has nothing to do with the work the API is doing. The security comes from the fact that a bad actor can’t drop all your tables because your API doesn’t even have that code to begin with.

The reason we bring this up is because even if you solve this problem, it doesn’t help with your access control problem. You’re counting on Supabase’s access control. You’re hiding the keys to the house on the front porch, then following everyone who enters to make sure they follow the rules. It’ll work… until it doesn’t. Maybe a vulnerability is found with Supabase that allows privilege escalation. Don’t take the risk. Just don’t allow connections to the database in the first place.

Like Tim, I can’t keep going with this. Either you’ll take the advice, or you won’t. I’ve got a good guess which it’ll be. But I’ll leave you with this: early in my career I was given the same advice I’m giving you. And I also didn’t listen. Care to guess what happened?

C_P · May 18, 2024, 2:49am

Thank you Thom,

I did not even implied that. I am very sure i provided some details of some of the levels of security supabase provides. You can also if you wanted, read more about it so maybe we can have a more intuitive discussion. Again, i never said supabase security or any security is perfect.

You are right SSL is the communication pipe between my app and the api (which i do not have) which encrypts the data running thru the pipe so hopefully no one can read it unless they have the key to decrypt it.

Before they can get into my db they will have to break thru the TLS, ip filtering, secrets in the vault, rbac, rls and auth in the frontend.

There is a pack lot of assumptions here. NOTE playful sarcasm ahead meant as a light joke …I wonder if my white paper leaked and you guys know more about my app than i do.

I appreciate you guys advice. But some of the advice feels forceful. Not sure how to take the statement above… if i say anything else that goes against what you are saying, i am wrong, defiant, disrespectful, a dummy or you guys get annoyed and threaten to stop commenting because you don’t like what i say or assume am just hard headed.

I am learning how some members of this “Community” work. I had seen it before with other comments to others members but now i actually experience it. I feel like walking on eggshells.

I hope i did not offended anyone. Again thank you for taking the time to respond. I know you are reading this for that… Thank you again.