Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
news:3ECA6642.AA46A652_at_exxesolutions.com:
> Chuck wrote:
>
>> Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
>> news:3EC9CF44.D684FF03_at_exxesolutions.com:
>>
>> > Alison Holloway wrote:
>> >
>> >> > I can not come up with a single reason why the Oracle
>> >> > installation must provide a temporary certificate. Provide what
>> >> > is necessary to permanently secure the connection or buy
>> >> > yourself a flack jacket.
>> >>
>> >> Oracle is not a CA, and therefore cannot issue certificates.
>> >> Oracle can, however, issue temporary certificates that aren't
>> >> 'certified' to the user/company/server. These can be used for
>> >> testing, but a real certificate is need for production servers.
>> >> There are professional CA companies that you should contact to buy
>> >> a certificate.
>> >>
>> >> Alison
>> >
>> > I understand what you have written but it is no substitute in the
>> > real-world.
>> >
>> > One of the major complaints about DB2 is that it is not secure
>> > without purchasing an additional product: For example Tivoli. What
>> > is being duplicated here appears to be an analogous situation. I
>> > spend hundred of thousands or millions of dollars to purchase a
>> > product from Oracle and then have to go negotiate with someone else
>> > to purchase what I need to provide a secure environment. I hope I
>> > am misunderstanding but it appears that way from here. And if that
>> > is the case it is a marketing disaster waiting to happen.
>> >
>> > Oracle should go to a professional CA company and purchase what is
>> > required and then bundle it into the database or, given Oracle's
>> > assets, purchase the company itself. Anything less and you've
>> > surrendered a substantial piece of market-share to Bill Gates.
>> >
>> > Expect substantial negative feedback in Redwood Shores beginning
>> > tomorrow morning unless my understanding is incorrect.
>> >
>> > Thanks for stepping up to the plate and telling us what is
>> > happening. But it is important to remember that you are the one
>> > that stuck a knife into SQLPLUSW not us. You, as Oracle, made that
>> > decision. If your decision results in us having to purchase an
>> > additional product at additional expense you can expect a lot of
>> > very unhappy customers and that some of us will vigorously express
>> > our displeasure.
>> >
>> > I will look for your email off-line and here when I awake.
>> > --
>> > Daniel Morgan
>>
>> This is a tough issue. Nobody wants to have to purchase a certificate
>> from a CA just to connect to their databases securely. But then
>> again, imagine the fallout if you did continue to use the temporary
>> certificate (which does not authenticate that you are really
>> connecting to the server you think you're connecting to), and someone
>> hijcacked your server's address. How many passwords would most people
>> try before giving up? In this scenario without even knowing it, they
>> would have just given all their passwords to some hacker who also
>> knows the real IP address of the database server. That's scarey.
>> --
>> Chuck
>
> What is scary is Oracle sacrificing its so far excellent record in
> data security to a new front-end tool that isn't and over which they
> have no control.
>
> Please Alison ... tell me it ain't so.
> --
> Daniel Morgan
> http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
> damorgan_at_x.washington.edu
> (replace 'x' with a 'u' to reply)
>
>
>
Think that's scary? I haven't found anything yet that indicates that OEM
connections between the console and management server can be secured at
all. It does not use sqlnet or https, just straight TCP. There is one
thing however that we've all seemed to forgotten. You can always use a
VPN over a public network, and that *is* secure whether you use https or
not.
Received on Tue May 20 2003 - 15:23:23 CDT
