security

用perl写的Oracle管理工具

   Hello, world.. :)

   I decided to provide some information about cookies
because many people do not want to use a cookie based 
application, like Oracletool, due to security concerns
pertaining to cookies. Personally, I've found that
chocolate chip cookies are quite tasty and secure, but
that's an entirely different story, albeit no less important..

Let me know if I leave anything out.

Q: What are cookies?
A: Cookies are files, or entries, that are stored on your PC. Your
   PC being the machine that you are running your browser
   on. When you start your browser it reads these files and 
   puts the information in memory. When you close your browser
   it writes this information back to your disk.

Q: Where do they come from? 
A: They come from web servers, or sites. When you access a
   site, it will often write a cookie to your browser, which
   writes the file to your PC when you close the browser. By
   writing a cookie, the site can access it later, and that's
   how sites seem to know who you are when you return. It goes
   like this...

   You access yahoo.com
   Yahoo.com askes you for your name.
   You type it in.
   Yahoo.com sends a cookie to your browser with that information.
   Your browser saves it. 
   One week later, you access Yahoo.com again.
   Yahoo.com reads the cookie, and knows who you are. Amazing!

Q: Are cookies secure?
A: It depends on how they are used, and your views on security.
   Cookies can only be as secure as your PC. If someone walks up
   to your PC, starts your browser, and accesses Yahoo.com, the
   steps above occur and that person in essentially _you_ now.
   Cookies are stored in text files, so they can be read by 
   any text editor on your PC if you know where to look for them.
   In versions prior to 1.2.0, Oracletool stored usernames and 
   passwords in plain text which was very unsecure. These cookies 
   can now be encrypted by adding a few Perl modules to your
   system. I feel that this is a very secure method of storing 
   this information provided there is no security loopholes in
   your browser. Internet Explorer (4.5) has one such loophole. 
   The description of the problem is at (As of May 26, 2000)
   http://peacefire.org/security/iecookies
   and the fix is at 
   http://www.microsoft.com/technet/security/bulletin/ms00-033.asp

   Keep in mind that not only do they have to have your information,
   they need to have access to your network. This means that most 
   databases are already protected from everyone but your co-workers.
   
   If someone was to break into your computer and read your cookie,
   file, a typical entry will look like this if you are using the 
   Oracletool encryption...

   toolbox.sessionid52616e646f6d4956d503c1af9bca21e8338a2a8786cc25f74fc098e88047fc3c

   And will look like this if you are not...

   toolbox.sessionidsystem~manager

   That's a big difference! I will always suggest (as of 1.2.0) using the 
   encryption if possible. The only way that someone can decode the
   top string is if they know what type of encryption is being used,
   and if they know the encryption key, which is a parameter in the 
   oracletool.ini that is set by the administrator. You have several
   different encryption types to choose from when using Oracletool.

   Some people are extremely security concious, and will never trust
   a cookie based application. That's just the way it is. The fact is,
   your cookies are but one of many things that a malicous person will
   have access to if he or she breaks into your computer. I Hope this
   has helped to explain how Oracletool protects your passwords. If
   you have concerns about security pertaining to the way in which 
   Oracletool operates, please email me at adam@oracletool.com and
   we will discuss it further.

      Best regards,

          Adam vonNieda