Re: Question re security

From: Fergal Taheny <ftaheny_at_gmail.com>
Date: Fri, 17 Jan 2014 09:19:27 +0000
Message-ID: <CAOuMUT6hNN-jo8gcgySu67NQGmiRLA10tW9EogW96CDr8Ock4A_at_mail.gmail.com>

Hi,

Just on this point:

"Using that port is
an open avenue for any hacker worth his/her salt to run a sniffer in a Linux node to get all Oracle pwds."

This is something I have wondered about. The oracle passwords are envcrypted during transmission by default with standard sqlnet setup. I checked this with a packet sniffer once to confirm this but I have wondered if this encryption is reliable. No pre-sharing of any keys has to be done before a client can connect to a db. So as part of the authentication does the server send the client a key which the client uses to encrypt the password? If this is the case the isn't this open to a man in the middle attack?

Would be interested to hear people opinions on this.

Thanks,
Fergal

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jan 17 2014 - 10:19:27 CET

This message: [ Message body ]
Next message: Ls Cheng: "Re: Performance Monitoring Tools for Standard Edition"
Previous message: david_at_databasesecurity.com: "New tool release"
In reply to: Nuno Souto: "Re: Question re security"
Next in thread: Nuno Souto: "Re: Question re security"
Reply: Nuno Souto: "Re: Question re security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message