Hi there,
Have you guys watched the Smart Client 3: Developing Secure Smart Client
Applications by a presenter called Jeff Levinson
(http://msdn.microsoft.com/events/devdays/sessions/).
I have got a really really quick question regarding the security hole he
found on the demo...
(you need to have watched it to understand the following)
He said he decrypted his credential on the database server and upload his
database connection string in clear text' And then he can patcket sniff all
the traffic in between teh application server and the database server...
(Sorry, I may have heard it incorrectly as I was watching the webcast on the
net and English is not my mother tongue.)
Can someone explain to me a little more on what exactly did he mean.
Thanks heaps!!I have not watched this particular event but I have taught it. He is
probably talking about using IPSEC between the app server and database
server. This insures that you cannot use a packet sniffer to see the
unencrypted data on the network.
"one" <one@.discussions.microsoft.com> wrote in message
news:8E074D9C-184B-42BA-BFD8-FF33B3C1A659@.microsoft.com...
> Hi there,
> Have you guys watched the Smart Client 3: Developing Secure Smart Client
> Applications by a presenter called Jeff Levinson
> (http://msdn.microsoft.com/events/devdays/sessions/).
> I have got a really really quick question regarding the security hole he
> found on the demo...
> (you need to have watched it to understand the following)
> He said he decrypted his credential on the database server and upload his
> database connection string in clear text' And then he can patcket sniff
all
> the traffic in between teh application server and the database server...
> (Sorry, I may have heard it incorrectly as I was watching the webcast on
the
> net and English is not my mother tongue.)
> Can someone explain to me a little more on what exactly did he mean.
> Thanks heaps!!|||Thanks Chris. You are right. After reading your post, I went back and
listening to the webcast again and I found the transcript. And here is what
he said:
<snip>... There's one small problem, and that problem exists right here.
See I've gone and decrypted my database credentials, and then I've sent my
connection string to the database in plain text. Oops! With all this
security- all I need to do is drop a listener or somewhere on the network to
listen in between those two machines, and I'm going to pull back every piece
of data that you've put across the network we've gone through all this
trouble to secure... </snip>
And to resolve this issue, he suggested using IPSec.
Thanks again Chris.
"Chris Rolon" wrote:
> I have not watched this particular event but I have taught it. He is
> probably talking about using IPSEC between the app server and database
> server. This insures that you cannot use a packet sniffer to see the
> unencrypted data on the network.
>
> "one" <one@.discussions.microsoft.com> wrote in message
> news:8E074D9C-184B-42BA-BFD8-FF33B3C1A659@.microsoft.com...
> all
> the
>
>sql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment