Sync the file with the notion page and the comments provided by Yanni…

…ck. I have also updated links and dates.

src/_posts/security/bulletins/2024-03-13-SSB-2024-002.md → src/_posts/security/bulletins/2024-03-27-SSB-2024-002.md

@@ -1,7 +1,7 @@
 ---
 title: SSB-2024-002 - Password Hash Algorithm Update For PostgreSQL Users
-nav:  SSB-2024-002 (MD5)
-modified_at: 2024-03-13 00:00:00
+nav:  SSB-2024-002 (PostgreSQL)
+modified_at: 2024-03-27 00:00:00
 tags: security bulletin scalingo postgresql md5 scram-sha-256 database
 ---
 
@@ -26,14 +26,14 @@ This is a per-database-user change. It implies resetting the users' passwords (s
 
 There are 2 distinct timelines, depending on the type of the parent application of the PostgreSQL add-on.
 
-- **Health Data Hosting databases (HDH):** for PostgreSQL add-ons linked to HDH applications, this update is scheduled for $MIGRATION_START_DATE+6_MONTHS (in 6 months' time). This notice is due to the nature of the data contained in these databases and the excessive caution they require.
+- **Health Data Hosting databases (HDH):** for PostgreSQL add-ons linked to HDH applications, this update is scheduled for $MIGRATION_START_DATE+2_MONTHS (in 2 months' time). This notice is due to the nature of the data contained in these databases and the excessive caution they require.
 - **Other databases:** this change will be applied automatically **in the coming weeks**.
 
 You will be notified by e-mail 24 hours before the start of the maintenance period of the affected add-on(s), according to the database maintenance window configuration.
 
 ## Impact on your applications
 
-Rest assured, this transition is designed to have minimal impact on your applications (less than a second). The SCRAM-SHA-256 algorithm is widely supported by PostgreSQL clients library and has been in use for several years.
+Rest assured, this transition is designed to have minimal impact on your applications (less than a second). The connections to the database will remain active and there is no need to restart your application. Furthermore, the SCRAM-SHA-256 algorithm is widely supported by PostgreSQL clients library and has been in use for several years.
 
 To ensure a smooth transition, we kindly request you to verify that your PostgreSQL client version supports the SCRAM-SHA-256 algorithm. You can refer to the [PostgreSQL Wiki](https://wiki.postgresql.org/wiki/List_of_drivers) for the list of compatible client library versions.
 
@@ -54,38 +54,48 @@ All protected users in your PostgreSQL databases hosted on Scalingo will autom
 ### Unmanaged users
 
 Unmanaged users of your database **won't be migrated** as we don't have their passwords.
-
+There is no difference between users created via the CLI or the database dashboard.
 
 {% note %}
   Not migrating these users will not affect your database operations, but it will reduce your level of security.
 {% endnote %}
 
-If you have created users, either via the CLI or via the database dashboard is the same.
-
-Once you have been notified that your database has been migrated. 
+After the update is finished, you will be able to change the password of any other unmanaged users to use the SCRAM-SHA-256 authentication method.
 
-You can list the users of your database and see their current authentication method with the following command:
+Use the Scalingo CLI (version 1.31.0 and later) to identify unmanaged users of your database. In order to upgrade the hash algorithm and authentication method, you will simply need to update or reset their passwords.
 
 ```bash
-scalingo --app my-app --addon <addon uuid> database-users-list
+$ scalingo --app my-app --addon <addon uuid> database-users-list
++----------------+-----------+-----------+---------------------+
+|    USERNAME    | READ-ONLY | PROTECTED | PASSWORD ENCRYPTION |
++----------------+-----------+-----------+---------------------+
+| proddb_4794    | false     | true      | SCRAM-SHA-256       |
+| myuser         | false     | false     | MD5                 |
++----------------+-----------+-----------+---------------------+
 ```
 
 For each **manually created user** using MD5 authentication method, run the following command. A prompt will ask for your password, you can either re-enter the current one or update it to a new value:
 
 ```bash
-scalingo --app my-app --addon <addon uuid> database-user-update-password <username>
+$ scalingo --app my-app --addon <addon uuid> database-user-update-password <username>
 ```
 
+By listing the users in your database again, you will confirm the change of algorithm.
+
 ## How can I be sure that my application is compatible with SCRAM-SHA-256?
 
-The best way to test this change without affecting your application is to create a new app with the same source code and add a new PostgreSQL add-on. You can then import some sample data and check the compatibility with your client library.
+The best way to check this change, without affecting your application, is to create a new app with the same source code and add a new PostgreSQL add-on. You can then import some sample data and confirm the compatibility with your client library.
 
-To help you identify the connection method used when establishing a connection to your database, we have made this information visible in our API and CLI. For more information, [please consult our documentation].
+To help you identify the connection method used when establishing a connection to your database, we have made this information visible in our API and CLI (version 1.31.0 and later). For more information, [please consult our documentation](/databases/postgresql/managing#listing-users).
 
-## I would like to apply this change faster for my HDH apps add-ons
+## I would like to apply this change faster (HDH add-ons only)
 
 If your HDH application is already fully compatible with SCRAM-SHA-256 and you wish to apply this security enhancement without waiting for 6 months, please contact our support team by chat or e-mail. Provide us the names of the databases you wish to update and we will do the rest!
 
+## I would like to postpone this maintenance for more than 2 months (HDH add-ons only)
+
+Although it is not recommended, if you would like to defer this maintenance for more than 2 months for your HDH applications, please contact our support team.
+
 ## Final words
 
 The migration from MD5 to SCRAM is a necessary security enhancement. SCRAM is a more secure and modern authentication method that provides better protection against several types of attacks, including brute force and rainbow table attacks. This change is in line with industry best practices and recommendations for database security.
@@ -97,10 +107,10 @@ Scalingo is committed to maintain the highest standards of security and service
 
 ## Timeline
 
-- 2024-01-18: Announcement and detailed information provided to customers.
-- 2024-03-01: Start of the automatic migration of all non-HDH databases to SCRAM authentication.
-- 2024-09-01: Start of the automatic migration of all HDH databases to SCRAM authentication.
+- 2024-04-01: Announcement and detailed information provided to customers.
+- 2024-04-08: Start of the automatic migration of all non-HDH databases to SCRAM authentication.
+- 2024-06-10: Start of the automatic migration of all HDH databases to SCRAM authentication.
 
 ## Changelog
 
-2024-01-18 : Initial version
+2024-03-27 : Initial version