"Loads of PostgreSQL Systems Are Sitting on the Internet Without SSL Encryption"
According to a cloud database provider, only one-third of PostgreSQL databases connected to the Internet use Secure Sockets Layer (SSL) for encrypted messaging. Bit.io, which provides a drag-and-drop PostgreSQL database as a service, used shodan.io to create a sample of 820,000 PostgreSQL servers connected to the Internet between September 1 and September 29. More than 523,000 PostgreSQL servers in this sample did not use SSL. The company emphasizes that this opens the door for outsiders to eavesdrop on data transmitted to and from the server. It also stated that 41 online PostgreSQL servers did not require a password. In addition, the company conducted an informal survey of 22 popular SQL clients, finding that only two require encrypted connections by default, while six of them will request encryption but silently accept an unencrypted connection. The rest are unencrypted by default and must opt-in to use SSL. It was also discovered that more than 43 percent of SSL certificates were self-signed, meaning that while the certificates are encrypted, they may not be trustworthy because they were not issued or validated by a certificate authority. Bit.io found that 4 percent of the certificates had expired. This article continues to discuss findings from Bit.io's sample of 820,000 PostgreSQL servers and survey of 22 popular SQL clients.