Pages
About Me
Links
Tags
PERSONAL 520
SPIRITUAL 416
LDS 312
BOOK OF MORMON 237
SCRIPTURES 154
STUDIO-JOURNEY 129
RELIGION 112
LINUX 79
COMPUTERS 65
LIFE 60
GENERAL CONFERENCE 46
GENTOO 39
MISCELLANEOUS 37
MUSIC 37
PROGRAMMING 33
CARS 29
MICROSOFT 23
FAMILY 23
AUDIO 21
I LOVE MY JOURNAL 18
FUN 15
CHILDREN 12
CURRENT EVENTS 10
NATURE'S WAY 10
VIDEO 9
DRM 9
CONEXM 7
BABBLINGS 7
PROVO CITY CENTER TEMPLE 6
FRIENDS 6
HEROD THE FINK 5
GAMES 5
COMPUTER HARDWARE 5
DRUMS 4
HAND OF GOD 3
ADVERSITY 3
KDENLIVE 3
AUDIO HARDWARE 3
GENERAL INSANITY 3
STUDIO 3
THANKS4GIVING 2
CATS 2
MY JOURNAL 1
POETRY 1
FOREVERGREEN 1
EVERYDAY THOUGHTS 1
GOSPEL 1
PARENTING 1
YOUTH CONFERENCE 1
CHURCH NOTES 1
POLITICS 1
RSS Feed
Subscribe!Wed - Mar 05, 2008 : 05:42 pm
content
 |
|
|
|
|
rated 0 times |
Is OCI8 in PHP encrypted?
My job has me creating a website derived from data housed in an Oracle database.
It's getting to the point now where we're going to co-locate the server and press the big green button.
Well... My boss came in today asking about the connection between my postgresql database from which the website runs, and Oracle from which Postgres is populated.
That spawed a conversation about security and encryption within the OCI8 or instantclient-basic modules.
I quickly set up an apache/php/oci8 stack on my gentoo workstation and emerged that ever wonderful program called wireshark.
I loaded up a script which would connect to the oracle db and retrieve a couple of rows from a table. Right before I hit the go button, I turned on wireshark.
The relevant packets going to and from my machine and oracle were captured, and I quickly found out that the OCI8 / instantclient modules do not encrypt anything but the actual password being transferred.
The password going from the client to the server is encoded.
The following is a screenshot of the packet which contained the encrypted password. (portions have been taken out, just in case)
Although it's intentionally obfuscated, the password portion of the data contains a string of text which differs from the one I provided in my oci8 connection string.
This is pretty good to know. I tried to find this information on the Internet for about an hour before rigging it up and doing it myself.
Hope this helps someone.
It's getting to the point now where we're going to co-locate the server and press the big green button.
Well... My boss came in today asking about the connection between my postgresql database from which the website runs, and Oracle from which Postgres is populated.
That spawed a conversation about security and encryption within the OCI8 or instantclient-basic modules.
I quickly set up an apache/php/oci8 stack on my gentoo workstation and emerged that ever wonderful program called wireshark.
I loaded up a script which would connect to the oracle db and retrieve a couple of rows from a table. Right before I hit the go button, I turned on wireshark.
The relevant packets going to and from my machine and oracle were captured, and I quickly found out that the OCI8 / instantclient modules do not encrypt anything but the actual password being transferred.
The password going from the client to the server is encoded.
The following is a screenshot of the packet which contained the encrypted password. (portions have been taken out, just in case)
Although it's intentionally obfuscated, the password portion of the data contains a string of text which differs from the one I provided in my oci8 connection string.
This is pretty good to know. I tried to find this information on the Internet for about an hour before rigging it up and doing it myself.
Hope this helps someone.
Comment by Ekin on Mar. 07, 2013 @ 05:40 pm
You are my lifesaver. I hawe been googling this for AGES.