Hi, > I use the iBatis framework to establish a connection. I have
Could you still tell me what is your database URL? I will change the sentence in the documentation to: "For server mode connections, user passwords are never transmitted in plain text over the network (even when using insecure connections; this only applies to the TCP server and not to the H2 Console however; it also doesn't apply if you set the password in the database URL)" Maybe you mean the H2 Console. It is true that the password is sent from the browser to the Console without encryption (if using http://). While I could implement SHA256 in Javascript, it would be slow, and it would only work for H2 databases. But the H2 Console should support other databases as well. Regards, Thomas On Thu, Apr 2, 2009 at 9:36 PM, Abyric <[email protected]> wrote: > > Hi, Thomas! > > You can reproduce this by letting wireshark listen to your localhost > traffic (if your remote server is running there). > I used a browser with the H2 Console to log in. I did not enable file > encryption and also did not specify a SSL connection. > So basically its a vanilla setup. > > About the embedded statement, I might be wrong on that one. > I've produced a small example which uses an embedded database and was > not able to intercept packets. > This is probably because the embedded database runs inside the same > VM, meaning that all traffic stays inside the VM, correct? > Most likely, my earlier findings were based on a remote running server > as well. > > Thanks for your time, > Jeff > > > > > I use the iBatis framework to establish a connection. I have > > On Apr 2, 8:34 pm, Thomas Mueller <[email protected]> > wrote: >> Hi, >> >> How do you set the password? Do you set it in the password in the >> database URL? Could you provide some sample code how you got the >> connection? >> >> Regards, >> Thomas >> >> On Thu, Apr 2, 2009 at 8:32 PM, Abyric <[email protected]> wrote: >> >> > The features page mention this: >> >> > *User passwords are never transmitted in plain text over the network >> > (even when using insecure connections) >> >> > If this applies to remote databases that do not use SSL this statement >> > is false. >> >> > This statement is also false when using a local embedded database. >> >> > I can proof this by running wireshark and intercept the packets while >> > listening on the localhost. The first packet I receive contains the >> > username, password and schema. >> >> > Jeff > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "H2 Database" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/h2-database?hl=en -~----------~----~----~----~------~----~------~--~---
