Does Squirrel communicate in clear text?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Does Squirrel communicate in clear text?

Gonyer, Lisa

Hello,

 

I have been a fan of SQuirreL for almost 8 years.  However, in the process of upgrading my laptop, I was informed by our IT team that they can no longer install SQuirreL because they were informed it communicates in clear text.  Can someone please direct me to documentation (and where within) it states that communications is encrypted or otherwise secure OR communication is in clear text?  I would like to debunk the clear text argument so I can continue to use this client.

 

Thanks!

 



This e-mail and files transmitted with it are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not one of the named recipient(s) or otherwise have reason to believe that you received this message in error, please immediately notify sender by e-mail, and destroy the original message. Thank You.

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Squirrel-sql-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/squirrel-sql-users
Reply | Threaded
Open this post in threaded view
|

Re: Does Squirrel communicate in clear text?

John Hardin
On Wed, 17 Apr 2013, Gonyer, Lisa wrote:

> I have been a fan of SQuirreL for almost 8 years.  However, in the
> process of upgrading my laptop, I was informed by our IT team that they
> can no longer install SQuirreL because they were informed it
> communicates in clear text.  Can someone please direct me to
> documentation (and where within) it states that communications is
> encrypted or otherwise secure OR communication is in clear text?  I
> would like to debunk the clear text argument so I can continue to use
> this client.

That depends almost entirely on the JDBC drivers that it uses to
communicate with the database server.

Which database server platform are you talking to? Check the vendor's page
and see what they have to say (if anything) about encryption of network
traffic in their JDBC client.

If they say communication is in cleartext, there's nothing Squirrel can do
about it, but then *any* Java database app talking to that database would
have the same problem.

If they say communication is encrypted, then it's encrypted.

If they say encryption is optional and the client may choose to disable
it, and encryption is controlled via the JDBC connect string, then it's
under your control - use the right connect string! That's not specific to
Squirrel.

If they say encryption is optional and the client may choose to disable
it, and it's controlled by standard JDBC API options (assuming there are
such), then I'd expect to see an option somewhere in the Squirrel UI to
enable or disable encryption. Is there an option like that? I haven't
looked... This is the only case in which what Squirrel does, matters.


That said, most insecure network protocols can be made secure using a
package called stunnel, but that's a network-geekish solution that
(ideally) requires access to install stunnel on the database server, and
your IT team may balk at that solution. :)

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Our government should bear in mind the fact that the American
   Revolution was touched off by the then-current government
   attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
  Today: the 238th anniversary of The Shot Heard 'Round The World

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Squirrel-sql-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/squirrel-sql-users
Reply | Threaded
Open this post in threaded view
|

Re: Does Squirrel communicate in clear text?

Robert Manning
To further John's excellent explanation, I believe I have seen Oracle documentation for "ssl-ifying" connections using PKI materials.  This is likely accomplished using JDBC driver properties, which SQuirreL allows you to set on each Alias (Right-click on alias, choose "Alias Properties" then "Driver Properties" tab).  You should consult the vendor documentation from whomever distributes your JDBC driver.

Rob


On Fri, Apr 19, 2013 at 8:56 PM, John Hardin <[hidden email]> wrote:
On Wed, 17 Apr 2013, Gonyer, Lisa wrote:

> I have been a fan of SQuirreL for almost 8 years.  However, in the
> process of upgrading my laptop, I was informed by our IT team that they
> can no longer install SQuirreL because they were informed it
> communicates in clear text.  Can someone please direct me to
> documentation (and where within) it states that communications is
> encrypted or otherwise secure OR communication is in clear text?  I
> would like to debunk the clear text argument so I can continue to use
> this client.

That depends almost entirely on the JDBC drivers that it uses to
communicate with the database server.

Which database server platform are you talking to? Check the vendor's page
and see what they have to say (if anything) about encryption of network
traffic in their JDBC client.

If they say communication is in cleartext, there's nothing Squirrel can do
about it, but then *any* Java database app talking to that database would
have the same problem.

If they say communication is encrypted, then it's encrypted.

If they say encryption is optional and the client may choose to disable
it, and encryption is controlled via the JDBC connect string, then it's
under your control - use the right connect string! That's not specific to
Squirrel.

If they say encryption is optional and the client may choose to disable
it, and it's controlled by standard JDBC API options (assuming there are
such), then I'd expect to see an option somewhere in the Squirrel UI to
enable or disable encryption. Is there an option like that? I haven't
looked... This is the only case in which what Squirrel does, matters.


That said, most insecure network protocols can be made secure using a
package called stunnel, but that's a network-geekish solution that
(ideally) requires access to install stunnel on the database server, and
your IT team may balk at that solution. :)

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Our government should bear in mind the fact that the American
   Revolution was touched off by the then-current government
   attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
  Today: the 238th anniversary of The Shot Heard 'Round The World

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Squirrel-sql-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/squirrel-sql-users


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Squirrel-sql-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/squirrel-sql-users