From stefan.jahnke@d2vodafone.de Wed, 09 May 2001 07:19:46 -0700 From: Stefan Jahnke Date: Wed, 09 May 2001 07:19:46 -0700 Subject: Re: Passwords sent from client to server via OCI calls - are Message-ID: MIME-Version: 1.0 Content-Type: text/plain Joe Sanderson schrieb: > > Hello, > > I'm using OCI in my application to connect to the Oracle server (currently > using orlon call, have not yet moved on to OCILogon). My question is this: > when the password is sent by the OCI code from the client to the server, is > the password encrypted? I want to find out if my application will be > vulnerable to network sniffers or other methods of breaching security in the > Oracle environment. > > I've looked in the Oracle documentation, and have not yet found a way to > send anything to the orlon call other than the unencrypted password. I have > also not found any details on what the OCI client side code does with the > password (if anything) before sending it to the server. > > Thanks for any useful replies. > Joe Sanderson > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Joe Sanderson > INET: joe.sanderson@ecora.com > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > ----------------------------------------------------------- > This Mail has been checked for Viruses > Attention: Encrypted Mails can NOT be checked ! > > *** > > Diese Mail wurde auf Viren ueberprueft > Hinweis: Verschluesselte Mails koennen NICHT geprueft werden! > ------------------------------------------------------------ Hi, I'm not sure, but just run a sniffer. If the passwords aren't encrypted, they show up ... that's it. -- Regards, Stefan Jahnke BOV AG @:D2 Vodafone, Abt.: FIBM -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stefan Jahnke INET: stefan.jahnke@d2vodafone.de Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).