Dear Daniel,

If users connected individually with their own usernames/passwords to the database itself, how would that be any different? The hacker could easily get their passwords this way too...

Firebird doesn't provide secure connections, instead I'm thinking of using a third party tool like ZeBeDee to create a secure tunnel, in which I can send the SYSDBA password back.

As I said before, if the hacker can get the username/password of a real user, the game is over.

I can't imagine a solution that is more secure than this.

Regards,
Zd

----- Original Message -----
From: Daniel Albuschat
To: firebird-support@yahoogroups.com
Sent: Tuesday, November 11, 2008 9:13 AM
Subject: Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users


Hi Zd,

unfortunately this is not secure. You can easily sniff or otherwise
find out the password of the user that has access rights to get the
sysdba password. This can either be done with network-sniffing tools
like Wireshark (I actually don't know how strong Firebird's password
protection is over the wire) or by replacing the Firebird-server with
a custom version that outputs the password that was used to
authenticate.

Please read this document:

http://www.firebirdsql.org/pdfmanual/Firebird-Security.pdf

Regards,

Daniel Albuschat

--
eat(this); // delicious suicide




[Non-text portions of this message have been removed]