Re: Specifying server name in certificate for TLS connection
Well, connection strings are often hard-coded in configuration files, sometimes obfuscated by layers of components in the application stack. A not-so-well informed user may deploy such applications not even being aware they exist. An attacker that somehow gains access to the applications setup may tamper with them and cause unexpected harm or maybe even be able open back doors or so.
Of course we all need to live with connection strings and it's up to the developers to protect their systems configurations the best they can. Of course we can argue that if one has access to an application connection string then probably almost everything else is also open to them... anyway, I think we all benefit from a smaller attacking surface and the question is how we weight the pros and cons here.
Subject
Written By
Posted
November 21, 2024 12:28PM
November 22, 2024 08:05AM
November 22, 2024 08:19AM
Re: Specifying server name in certificate for TLS connection
November 22, 2024 10:04AM
Sorry, only registered users may post in this forum.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.