tags:

views:

243

answers:

2
+3  Q: 

Hijacking connection string with network packet analyzer

I guess everything is possible but I am wondering how easy is it for someone to hijack a connection string with a network packet analyzer or equivalent tool.

A winforms application fetches data directly from an MSSQL server. (Supposing there are no webservices in the middle for extra protection)

1) Is it possible for someone with an analyzer to read the connection string as clear text?

2) The connection string could be protected with an SSL certificate?

3) The SSL certificate should be installed on the SQL server?

4) I already own an SSL certificate http**s** Could I install it also for the SQL server?

5) The speed of the the return data, will be reduced due to SSL?

Thanks in advance

+1  A: 

If it isn't encrypted, it can be read, yes. Note that the SQL Native Client may often perform a non-SSL based encryption (depending on lots of factors), but yes, it can also be encrypted with SSL; see technet. And yes, it slows things down slightly. The requirements for the certificate are all in the technet article. But please don't expose your db server to the internet...

Marc Gravell  2009-08-28 22:08:58
+2  A: 
  1. Yes. If they're on the same network as the packet sniffer (henceforth "the sniffer") and the connection string is in plain text it's easy. Using a switch instead of a hub will not make it any harder to do this.
  2. still possible using a man-in-the-middle attack. Channel binding is designed to detect and prevent this, along with careful examination of the certificate received by the client. Client certificates would help strengthen this as well
  3. yes it should
  4. as long as the host name matches the sql server exactly it should work, otherwise you'll need a new cert.
  5. it probably will reduce the speed but not by much. Benchmark it and see if the slowdown still gives acceptable performance; there's no other way to predict the impact with any degree of reliability.

One other thing: if the connection string is encrypted I can still analyze the packet to find your server's location and if the data being passed back and forth isn't encrypted I can still read it even if I can't connect to the sql server. I can also potentially modify it. This is why it's unusual for a SQL connection to exist over the internet and why it's usually either connecting to a DB on the same server, connecting via a local network, connecting via a VPN, or encrypting the whole data stream.

Jeff Tucker  2009-08-28 22:09:39
Regarding 4. Could i export my certificate and private key and use it on another server?
Chocol8  2009-08-28 22:31:46
Certificates are signed based on the host that you're connecting to so as long as the host name is identical then you should be fine (usually this would happen if you replaced a computer). If the other server has a different host name then you can still use the cert but the client will get an error whenever it tries to connect saying that the name doesn't match. Does this answer your question?
Jeff Tucker  2009-08-28 23:45:04

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?