|
Is remote DB mobilink username and password passed to server for authentication is passed in plain-text or encrypted form? I have a consolidated DB and remote DBs. Not sure how the mobilink authentication works. Please help me in pointing to a link or document for this. Password is an optional field while creating the mobilink username.So if password is no given, then only username is used for authentication and that too in plain text? Thanks in advance. |
|
If you encrypt your network traffic, using HTTPS or encrypted TCP/IP), then the password is encrypted, too. This is the only way to ensure the security of your sync traffic, which includes the MobiLink username and password. Without encryption, the username is in cleartext and the password is merely obfuscated. See: http://dcx.sybase.com/index.html#1201/en/mlclient/mc-users.html*d5e265 for details on MobiLink users and authentication. If you don't specify a password when creating a user in Sybase Central, then you will need to specify either a NULL password or the empty string. How you specify this depends on your MobiLink client. Sorry I'm not sure which one it is (NULL or empty string) but it will be one or the other. :-) Just to add on this, if mobilink user hasn't supplied any password, then this will be added as NULL automatically in ml_user table.
(10 Aug '11, 03:10)
Vineet
|
|
All communication is done over TCP to the MobiLink server. The TCP protocol used can be direct point-to-point TCP, or over HTTP. TCP communications are unencrypted, by default. Similar to the database server, the initial MobiLink login packet information is obfuscated, but this obfuscation can potentially be reverse engineered. (Meaning that it is essentially always considered 'plain text', but is slightly harder to humanly read with a packet sniffer - this does not preclude the possibility of a MITM/replay attack though!) The way to guarantee encrypted communications is to use a secure protocol such as HTTPS or TLS. Setting up secure communications involves first creating/purchasing X.509 PKI Certificates. |
|
I doubt we document that when the recommended way to protect passwords is to strongly encrypt your network traffic. FWIW I just looked at the code for v12 and the obfuscation is there. |
|
Thanks Russ and Jeff for your inputs. Now, I understand that authentication data is obfuscated during transmission to server. Can you please point me to some doc or article to support this statement. I was not able to find this in the link given by Russ. |