Re: Securing isqlplus

Chuck wrote:

> Daniel Morgan <damorgan_at_exxesolutions.com> wrote in
> news:3EC9CF44.D684FF03_at_exxesolutions.com:
>
> > Alison Holloway wrote:
> >
> >> > I can not come up with a single reason why the Oracle installation
> >> > must provide a temporary certificate. Provide what is necessary to
> >> > permanently secure the connection or buy yourself a flack jacket.
> >>
> >> Oracle is not a CA, and therefore cannot issue certificates. Oracle
> >> can, however, issue temporary certificates that aren't 'certified' to
> >> the user/company/server. These can be used for testing, but a real
> >> certificate is need for production servers. There are professional CA
> >> companies that you should contact to buy a certificate.
> >>
> >> Alison
> >
> > I understand what you have written but it is no substitute in the
> > real-world.
> >
> > One of the major complaints about DB2 is that it is not secure without
> > purchasing an additional product: For example Tivoli. What is being
> > duplicated here appears to be an analogous situation. I spend hundred
> > of thousands or millions of dollars to purchase a product from Oracle
> > and then have to go negotiate with someone else to purchase what I
> > need to provide a secure environment. I hope I am misunderstanding but
> > it appears that way from here. And if that is the case it is a
> > marketing disaster waiting to happen.
> >
> > Oracle should go to a professional CA company and purchase what is
> > required and then bundle it into the database or, given Oracle's
> > assets, purchase the company itself. Anything less and you've
> > surrendered a substantial piece of market-share to Bill Gates.
> >
> > Expect substantial negative feedback in Redwood Shores beginning
> > tomorrow morning unless my understanding is incorrect.
> >
> > Thanks for stepping up to the plate and telling us what is happening.
> > But it is important to remember that you are the one that stuck a
> > knife into SQLPLUSW not us. You, as Oracle, made that decision. If
> > your decision results in us having to purchase an additional product
> > at additional expense you can expect a lot of very unhappy customers
> > and that some of us will vigorously express our displeasure.
> >
> > I will look for your email off-line and here when I awake.
> > --
> > Daniel Morgan
>
> This is a tough issue. Nobody wants to have to purchase a certificate
> from a CA just to connect to their databases securely. But then again,
> imagine the fallout if you did continue to use the temporary certificate
> (which does not authenticate that you are really connecting to the server
> you think you're connecting to), and someone hijcacked your server's
> address. How many passwords would most people try before giving up? In
> this scenario without even knowing it, they would have just given all
> their passwords to some hacker who also knows the real IP address of the
> database server. That's scarey.
> --
> Chuck

What is scary is Oracle sacrificing its so far excellent record in data security to a new front-end tool that isn't and over which they have no control.

Please Alison ... tell me it ain't so.

--
Daniel Morgan
http://www.outreach.washington.edu/extinfo/certprog/oad/oad_crs.asp
damorgan_at_x.washington.edu
(replace 'x' with a 'u' to reply)