Security News > 2022 > October > Loads of PostgreSQL systems are sitting on the internet without SSL encryption

Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider.

Bit.io, which offers a drag-and-drop database as a service based on PostgreSQL, searched shodan.io to create a sample of 820,000 PostgreSQL servers connected to the internet over September 1-29.

PostgreSQL 15 promises to ease Oracle and SQL Server migrations.

EDB, a consultancy specialized in building and supporting PostgreSQL systems, pointed out that it was the minority of PostgreSQL databases that were connected to the internet, and that the open source system does not accept connections from the internet by default.

Since external connections are disallowed by default, if developers need to open up PostgreSQL to the internet, they should do it via an app server that sits within a corporate firewall.

DBAs who manage PostgreSQL should review the firewall settings to ensure that connections are restricted to application servers and that the connection is hostssl, so only SSL connections can be made, Linster said.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/07/postgresql_no_ssl/