Security in PG Commander
Because PG Commander is made specifically for the Mac, it can take advantage of the many security features built into OS X.
PG Commander always tries to connect to PostgreSQL servers via an encrypted connection (SSL). If the server does not support SSL, PG Commander will show a warning. You should only connect without SSL if you are on a trusted network. Never connect without encryption when you are on a public network!
As an exception to this rule, PG Commander doesn't require encryption when connecting to ‘localhost’. (If your own computer is compromised, SSL won't help.)
Like your web browser, PC Commander will check the server certificate when connecting via SSL. It will check if the server certificate is signed by a trusted certificate authority. If the server uses a self-signed certficate, or the host name on the certificate doesn't match, PG Commander will show a warning dialog. You must then verify the certificate yourself (check if the finger print matches), and choose to connect or not. You can also choose to remember the certificate – then the server certificate will be added to your keychain and marked as trusted.
PG Commander also supports connecting via an SSH tunnel. This is especially useful when connecting to a database server behind a firewall. You can use SSH instead of SSL, or in addition to SSL. When connecting to a SSH server, PG Commander checks if the host key is in your known_hosts file. If it isn't, it will ask you to confirm the host key fingerprint, and remember the host key. It will not modify your known_hosts file. If there's a host key mismatch, PG Commander will refuse to connect. If the key changed because someone reinstalled the server, you have to update your known_hosts file to allow PG Commander to connect again.
PG Commander does not support using client certificates for authentication.
If you check the “Save in Keychain” checkbox, PG Commander will store the passwords in your login keychain. The passwords are stored safely encrypted on your hard drive. This is much safer than storing the passwords in plain text. (Yes, there are apps that store passwords in plain text.) If an attacker wants to extract a password from the keychain, even if they steal your computer, they will still need your keychain password.
If you don't check the “Save in Keychain” box, PG Commander will remember passwords until you quit.
PG Commander is a “sandboxed” application. This means that it is isolated from other applications and has only limited access to your computer. PG Commander can connect to the internet (it wouldn't be a good database client if it couldn't) and it can read/write user selected files (eg. for exporting favorites). On the other hand, PG Commander has no access to stuff it doesn't need, like your emails or your camera.
PG Commander has the following sandbox privileges:
- Outgoing Network Connections
- Incoming Network Connections (needed for SSH tunnels)
- Read and Write user selected files
- Read-only access to the ~/.ssh/known_hosts file
Sandboxing is mainly a damage containment technique. It reduces the risk from security vulnerabilities in the software. If an attacker finds an exploit in PG Commander, they can not use it to take control of your computer because of the limits set by the sandbox.
Sandboxing also prevents you from malicious developers. A sandboxed application can not simply send a copy of your address book to some server on the internet – unless it has the required privileges. (Unfortunately there is no easy way to check what privileges a sandboxed application has)