Passwords encrypted over the network: why is this feature not enabled by default?Posted: 26 June, 2017 | |
In 2015 I wrote a blog post about using simple password encryption (SPW) and how – without it – your valuable passwords can be trivially sniffed on your network. If you look through the post it illustrates the vulnerability and shows just how easy it is to set your system up in a more secure way.
SPW only encrypts your password when you connect. Not everyone wants or needs full encryption of all their traffic but what reasons are there not to use SPW?
- It requires a small amount of set up extra work, although this can (should?) be automated.
- It means your database engine spawns some extra cssmbox_cn threads, although they are only used at connection time and the overhead is low.
- Consideration should be given to patching the IBM Global Security Kit (GSKit) separately from the server and client, both of which bundle it.
I don’t know of any other drawbacks. In my opinion these are nothing substantive then when you consider your peace of mind.
If you have Fix Central access you can always download the latest GSKit from here. Although it’s used by many IBM products it’s filed under Tivoli which isn’t obvious at all.
Patching the GSKit separately isn’t necessarily something you need to do but it isn’t only used by SPW: if you’ve set ENCRYPT_HDR, ENCRYPT_SMX or ENCRYPT_CDR, for example, you are using it. The GSKit doesn’t get installed in INFORMIXDIR; it’s installed by RPM (on Linux) to /usr/local/ibm and only one version can exist on your server. So if you’re used to pre-installing a new version of Informix server or Client SDK in its own folder prior to an upgrade, be aware that you may just have unwittingly upgraded the GSKit.
The feature has suffered a few issues lately and is currently broken when used with the Informix JDBC driver in 11.70.xC9; connections supported by CSDK or IConnect work fine. I think the feature would be more dependable if more people used it (or if the product testing stress tested this area). Here are some relatively recent issues:
- All recent JDBC drivers earlier than 4.10.JC8 (including 3.70.JC8W1) suffer from an issue where a small proportion of connections will fail. You might not notice this if your application can capture logon failures and retry automatically. There is no APAR for this that I know of as 4.10.JC8 was extensively reworked for JDBC 4.0 support.
- Informix 11.70.xC9 contains fix IT10493 but this caused a high rate of logon failures with SPW and fix IT17087 is additionally needed but not included.
- If you’re using the 12.10 code line you need xC8 or later to get the same fix.
- CSDK 4.10.FC8 ships with an incompatible GSKit version, 220.127.116.11, but actually requires 18.104.22.168+ (APAR IT18763). You may not notice this, however, if your server software ships with a later version.
I hope this doesn’t come across as a moan, more a call to action.