My job has me creating a website derived from data housed in an Oracle database.
It's getting to the point now where we're going to co-locate the server and press the big green button.
Well... My boss came in today asking about the connection between my postgresql database from which the website runs, and Oracle from which Postgres is populated.
That spawed a conversation about security and encryption within the OCI8 or instantclient-basic modules.
I quickly set up an apache/php/oci8 stack on my gentoo workstation and emerged that ever wonderful program called wireshark.
I loaded up a script which would connect to the oracle db and retrieve a couple of rows from a table. Right before I hit the go button, I turned on wireshark.
The relevant packets going to and from my machine and oracle were captured, and I quickly found out that the OCI8 / instantclient modules do not encrypt anything but the actual password
The password going from the client to the server is encoded.
The following is a screenshot of the packet which contained the encrypted password. (portions have been taken out, just in case)
Although it's intentionally obfuscated, the password portion of the data contains a string of text which differs from the one I provided in my oci8 connection string.
This is pretty good to know. I tried to find this information on the Internet for about an hour before rigging it up and doing it myself.
Hope this helps someone.