Home Forums Article Discussions Article Discussions by Author Discuss content posted by Duncan Pryde Connection Problems RE: Connection Problems

  • February 7, 2011 at 11:39 am

    #1283339

    SanDroid (2/7/2011)

    RichB (2/7/2011)

    What with them being inherently, disgracefully insecure.

    Are you talking about the fact that they have to be stored in plain text in connection strings that are at the Least a read only file for all users?

    Filter it for login packets... and watch in wonder as your password flies across the network in plain text! <_<

    Ok, you are talking about the same limitation all network applications that use login packets to support application user logins stored in the application. SNMP, POP, SQL, FTP, NNTP, etc...

    IMHO: If your network security is so lax that just anyone can install and use a packet sniffer to get this data, there is not an application security issue. :w00t:

    Yes there is. Just because you also have a network security issue doesn't mean that the application security issue can be ignored. That's why when possible you use secure versions of those protocols (usually the same protocol encrypted via SSH or SSL). Or you use alternative authentication mechanisms like Windows-based authentication with Kerberos as opposed to SQL user logins.

    Yes, we use some SQL logins here, but only when the application requires it and only after evaluating other options and mitigation opportunities. It is a serious security issue, and hiding it under network security issues does nobody any good.