Does Heroku Postgres use MITM attack protection?

Question

Does Heroku Postgres use MITM attack protection?

With questions like this , it seems the only way to prevent people in the middle attacks is to use sslmode=verify-full . This is also explained in the Postgresql docs .

When I use the DATABASE_URL provided by Heroku in my application, is there any guarantee that there will be no MITM attack? (Or asked differently if Heroku is doing something behind the scenes to ensure that Heroku <-> Heroku-Postgres is safe?)

+5

security ssl postgresql heroku heroku-postgres

Joe Jan 26 '16 at 18:56

source share

1 answer

thusoy · Answer 1 · 2016-06-14T17:23:34+0000

No, Heroku Postgres is not protected from MitM. The highest risk is pg:psql from the command line, as it’s pretty easy to get between your laptop and Heroku using Wi-Fi pineapple or similar tools. The transition between your Dynos and the database is much more complicated. This is possible because Heroku did not create a CA to sign its database certificates, so there is no root of trust to use when connecting.

I made a note that I actually performed such a MitM against Heroku Postgres here , please apply for support with Heroku, saying that you want to see how they create a CA and issue a trusted root that we can use to authenticate connections, if you are interested.

Does Heroku Postgres use MITM attack protection?

More articles: