Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is using Heroku Postgres secure against MITM attacks?

With questions like this, it looks like the only way to prevent man-in-the-middle attacks is to use sslmode=verify-full. This is also explained in the Postgresql docs.

When I use the DATABASE_URL provided by Heroku in my app, is there a guarantee that there won't be a MITM attack? (Or asked another way, does Heroku do something behind the scenes to guarantee that Heroku <-> Heroku-Postgres is secure?)

like image 843
Joe Avatar asked Jan 26 '16 18:01

Joe


People also ask

Is Heroku Postgres secure?

Secure & compliantThe Heroku platform is built for security from the ground up in compliance with key ​industry standards​ for data protection. For apps in regulated industries, ​Heroku Shield Postgres​ delivers PCI and HIPAA compliance.

What is the main purpose of using Heroku Postgres?

The Heroku PostgreSQL development plans are designed to offer the database features required for development and testing, without the production-grade operations, monitoring, and support found in paid production plans.

Is Heroku Postgres good?

Heroku Postgres is an easy, low-cost way to get started with a relational database on the Heroku platform. This open-source database is also the most effective service for developers looking to build engaging apps.


1 Answers

No, Heroku Postgres is not secure against a MitM. The highest risk is running pg:psql from the command line, since it's fairly easy to get between your laptop and Heroku by using a WiFi Pineapple or similar tools. Getting between your Dynos and the database is much harder. This is possible since Heroku hasn't created a CA to sign their database certificates, thus there's no trust root to use when you're connecting.

I did a writeup of actually performing such a MitM against Heroku Postgres here, please file a support ticket with Heroku saying you'd like to see them create a CA and issue a trusted root we can use to authenticate connections if you care about this.

like image 72
thusoy Avatar answered Oct 03 '22 05:10

thusoy