Hi folks,
I have a security consultant demanding that we implement encrypted connections to mySQL. He is concerned that the username and pass for the db are being sent cleartext when we connect.
The mysql server is on the same network as the scripts though not the same physical machine. So the credentials will not be passed externally and should be fine unless the server is already compromised.
Am I right that SSL would be overkill?
JG
If you need to implement this security measure, I would set up an encrypted SSH tunnel. On the web server:
ssh -L 3306:localhost:3306 -N [email protected]
Then connect to MySQL on 127.0.0.1 in your web app, and it will be forwarded to the remote MySQL server over an encrypted SSH tunnel.
It should be fine so long as the network isn't compromised. That doesn't necessarily mean the web or db server.
Do you trust everybody who has access to the network? (We don't know the details of your network setup, but for all we know it is shared by cheap staff in a call centre, who bring in USB sticks which they don't realize contain viruses)
Do you trust them enough considering the importance of whatever data is being dealt with?
Even if you do, unless implementing it generates a noticeable performance penalty, it is rare that implementing more security is a bad thing.