views:

29

answers:

1

Lets say I have a cluster of HTTPD's on a Cloud and they all share the same database. Is setting up MySQL over SSL reasonable paranoia? Or is it security masturbation? What are the pro's and con's of SSL on the cloud? What about ARP Spoofing?

+3  A: 

Don't know about other providers, but here is what Amazon says

It is not possible for a virtual instance running in promiscuous mode to receive or "sniff" traffic that is intended for a different virtual instance...<snip>... the hypervisor will not deliver any traffic to them that is not addressed to them. Even two virtual instances that are owned by the same customer, located on the same physical host, cannot listen to each other's traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2.

But, they end it with a disclaimer -

While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another's data, as a standard practice customers should encrypt sensitive traffic.

I don't know the data you are storing, but I'd say -

  1. If its financial data, don't store it on the cloud. You cannot be PCI compliant.
  2. If you need to be compliant to some law, avoid storing it on the cloud.
  3. For anything else, it should be okay to avoid SSL. The cost doesn't merit the extra security.
sri
Thanks for the answer, you should check out this question as well (http://stackoverflow.com/questions/2889473/when-is-it-safe-to-use-a-broken-hash-function)
Rook