Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Securing isqlplus

Re: Securing isqlplus

From: Daniel Morgan <damorgan_at_exxesolutions.com>
Date: Mon, 19 May 2003 19:27:07 -0700
Message-ID: <3EC9927B.4E5AECC3@exxesolutions.com>


Alison Holloway wrote:

> Daniel Morgan wrote:
> > Thanks for your response.
> >
> > Hopefully in 10i, or whatever the next version is called, the default installation will be
> > HTTPS or we all know disaster will be reported in the computer press shortly thereafter if it
> > is insecure. The standard installation should inlcude the HTTPS set-up for the major browsers.
> >
> > --
> > Daniel Morgan
> > http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> > damorgan_at_x.washington.edu
> > (replace 'x' with a 'u' to reply)
> >
> >
>
> If iSQL*Plus is set up using SSL by default, using a temporary certificate, iSQL*Plus will
> fail to work when the certificate expires. Customers will then have an iSQL*Plus install
> that only works for a short time after installation, and forced to either get their own
> certificate, or change the configuration so it doesn't use SSL. I can see a lot of
> confusion happening if suddenly iSQL*Plus stops working ...
>
> Alison

I can see far worse when the credit card information contained in the database is sold on eBay.

I can not come up with a single reason why the Oracle installation must provide a temporary certificate. Provide what is necessary to permanently secure the connection or buy yourself a flack jacket. I can guarantee you crackers will have a field-day the minute certs start expiring. The fact that customers can, or should, do something is as close to a guarantee as I can imagine ... that they won't as evidenced by Microsoft's Windows woes.

The bad P/R will move at an incredible speed from Redwood Shores to Australia. I urge you to remedy this immediately.

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)
Received on Mon May 19 2003 - 21:27:07 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US