Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus
Alison Holloway wrote:
> Daniel Morgan wrote:
> > Thanks for your response.
> >
> > Hopefully in 10i, or whatever the next version is called, the default installation will be
> > HTTPS or we all know disaster will be reported in the computer press shortly thereafter if it
> > is insecure. The standard installation should inlcude the HTTPS set-up for the major browsers.
> >
> > --
> > Daniel Morgan
> > http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> > damorgan_at_x.washington.edu
> > (replace 'x' with a 'u' to reply)
> >
> >
>
> If iSQL*Plus is set up using SSL by default, using a temporary certificate, iSQL*Plus will
> fail to work when the certificate expires. Customers will then have an iSQL*Plus install
> that only works for a short time after installation, and forced to either get their own
> certificate, or change the configuration so it doesn't use SSL. I can see a lot of
> confusion happening if suddenly iSQL*Plus stops working ...
>
> Alison
I can see far worse when the credit card information contained in the database is sold on eBay.
I can not come up with a single reason why the Oracle installation must provide a temporary certificate. Provide what is necessary to permanently secure the connection or buy yourself a flack jacket. I can guarantee you crackers will have a field-day the minute certs start expiring. The fact that customers can, or should, do something is as close to a guarantee as I can imagine ... that they won't as evidenced by Microsoft's Windows woes.
The bad P/R will move at an incredible speed from Redwood Shores to Australia. I urge you to remedy this immediately.
-- Daniel Morgan http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp damorgan_at_x.washington.edu (replace 'x' with a 'u' to reply)Received on Mon May 19 2003 - 21:27:07 CDT