Re: [Fwd: [CORE SDI ADVISORY] MySQL weak authentication]

On Tue, Oct 24, 2000 at 10:25:14AM -0400, Lamar Owen wrote:
> I am forwarding this not to belittle MySQL, but to hopefully help in the
> development of our own encryption protocol for secure password
> authentication over the network.
>
> The point being is that if we offer the protocol to do it, we had better
> ensure its security, or someone WILL find the hole.  Hopefully it will
> be people who want to help security and not exploit it.

IMO, anything short of a full SSL wrapped connection is fairly
pointless.  What does it matter if the password is encrypted if
sensitive query data flows in the clear?
--
Bruce Guenter <bruceg@em.ca>                       http://em.ca/~bruceg/