From 5b346313f1cecd3c4c79b6e104094e50bb1cfa75 Mon Sep 17 00:00:00 2001
From: Jacob Champion <jchampion@timescale.com>
Date: Mon, 22 May 2023 16:46:23 -0700
Subject: [PATCH] docs: encourage strong server verification with SCRAM

The server verification in libpq's SCRAM implementation can be subverted
in various ways. While mitigations for some of the issues exist, it's
probably wise for most users to combine it with strong server
authentication, to avoid entering a SCRAM exchange with an untrusted
server. Recommend that in the docs.
---
 doc/src/sgml/runtime.sgml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index dbe23db54f..cf93d9443c 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2021,6 +2021,21 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
     authentication with them.  The TCP client must connect
     using <literal>gssencmode=require</literal>.
   </para>
+
+  <warning>
+    <para>
+      While the SCRAM authentication method (<xref linkend="auth-password"/>)
+      theoretically provides a form of server authentication without the use of
+      certificates, the current SCRAM implementation does not protect the entire
+      authentication exchange. A spoofed server (or an active attacker on the
+      network) may tamper with the startup packet or attempt to bypass the
+      client's server verification step. Additionally, an attacker on the wire
+      may use an intercepted SCRAM exchange to begin a brute-force attack
+      against the password offline. It's recommended to employ strong server
+      authentication, using one of the above anti-spoofing measures, to prevent
+      these attacks.
+    </para>
+  </warning>
  </sect1>
 
  <sect1 id="encryption-options">
-- 
2.25.1