Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Passwords sent from client to server via OCI calls - are

Re: Passwords sent from client to server via OCI calls - are

From: Stefan Jahnke <stefan.jahnke_at_d2vodafone.de>
Date: Wed, 09 May 2001 07:19:46 -0700
Message-ID: <F001.002FDC84.20010509070607@fatcity.com> 






Joe Sanderson schrieb:


> 

> Hello,

> 

> I'm using OCI in my application to connect to the Oracle server (currently

> using orlon call, have not yet moved on to OCILogon).  My question is this:

> when the password is sent by the OCI code from the client to the server, is

> the password encrypted?  I want to find out if my application will be

> vulnerable to network sniffers or other methods of breaching security in the

> Oracle environment.

> 

> I've looked in the Oracle documentation, and have not yet found a way to

> send anything to the orlon call other than the unencrypted password.  I have

> also not found any details on what the OCI client side code does with the

> password (if anything) before sending it to the server.

> 

> Thanks for any useful replies.

> Joe Sanderson

> 

> --

> Please see the official ORACLE-L FAQ: http://www.orafaq.com

> --

> Author: Joe Sanderson

>   INET: joe.sanderson_at_ecora.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 

> -----------------------------------------------------------

> This Mail has been checked for Viruses

> Attention: Encrypted Mails can NOT be checked !

> 

> ***

> 

> Diese Mail wurde auf Viren ueberprueft

> Hinweis: Verschluesselte Mails koennen NICHT geprueft werden!

> ------------------------------------------------------------




Hi,



I'm not sure, but just run a sniffer. If the passwords aren't encrypted,
they show up ... that's it.


-- 
Regards,
Stefan Jahnke
BOV AG
@:D2 Vodafone, Abt.: FIBM
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Stefan Jahnke
  INET: stefan.jahnke_at_d2vodafone.de

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Wed May 09 2001 - 09:19:46 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US