Using SSL for In-Transit Data Encryption to Improve MySQL Security – DZone News

Threats to the security of your online data are everywhere and growing increasingly sophisticated. Yet despite the complex nature of online security, there are basic steps that any developer can and should take when working with a database-as-a-service (DBaaS). The foundation of your security policy should include the use of Secure Socket Layer (SSL), the standard online security technology for encrypting data as it moves between two points.

If you follow a separation of concerns approach with respect to your database and application, there are several reasons why you will want to use SSL when your application communicates with its MySQL database. You can stop intruders from viewing your data as it passes back and forth between your application and your database. You can stop someone from hijacking your connection and altering what gets sent up and down your pipe. You can also increase your level of confidence that youre conversing with the right people or systems.

In order to successfully use SSL with your MySQL database, its helpful to understand its evolution.

Early generations of personal computers were not designed with security in mind. It was assumed that only intended users would have physical access to their machines, so as long as they locked up their floppies, security was covered. Then the widespread adoption of the Internet rapidly changed the state of digital security and introduced new challenges for software developers.

Because early computer-to-computer communications were accomplished through a simple pipe, generally referred to as a socket, which passed raw data back and forth, simple programs like TELNET, one of the earliest terminal programs, passed all data through this network pipe including sensitive information like a users name and password. Once hackers began to tap into and exploit the relaxed security conditions of these early network pipes, it became clear that a more secure solution was required. In response, Netscape introduced a technology called Secure Sockets Layer (SSL), which provided a way to encrypt data in the pipe. SSL evolved over the years to become part of Transport Layer Security (TLS), which includes a more generic and secure form of the protocol, however, TLS is also commonly referred to as SSL.

To get started with SSL, you need a basic understanding of Public Key Infrastructure (PKI) and cryptography. With PKI, a Certificate Authority (CA) issues digital keys know as certificates. These certificates include long streams of numbers that are based on very complex mathematical systems designed to be extremely hard to decode.

Certificates use a bit of software magic that makes them useless to intruders. Even if intruders swiped your key, it would not by itself be enough for them to decrypt your SSL connections and either eavesdrop on your communications or inject data into the pipe. They might be able to establish their own secure pipe to your database but would still need your MySQL username and password to view or change data.

To enhance security further, certificates can be stamped with a server name or other information. Attempts to use that certificate may then require verification of the encrypted information contained in the stamp. This could stop someone who steals your key from being able to establish a secured connection to your database.

There are a few basic points to using SSL with your MySQL database.

You can find detailed instructions on the topic of configuring MySQL to use secure connectionsin the official MySQL documentation.

If youre new to SSL, getting all this to work is a detailed process. Youll need to know the type of certificate, its encryption method, and whether it requires server names to be validated. Certificates also have expiration dates, and repudiation, a mechanism to report them as invalid. The issuer can check if your certificate is valid at the time of the transaction.

So SSL gives you a secure pipe. If others get your private certificate they can have a secure pipe too, but if they dont know your MySQL username and password then they are still not in and cant read your secure connections. If you want to lock things down further, you can stamp your certificate with information that must be validated before the certificate can be used.

SSL provides a great method to prevent spoofing or sniffing a connection but is not a panacea for complete network security in all cases. That said, it does close off many avenues of attack and is highly recommend for use in all cases where it can be deployed. If you do decide to run without the protection of SSL, make sure you understand and are prepared to manage the downstream repercussions.

Topics:

ssl certificates ,mysql ( 5 ) ,security

Excerpt from:
Using SSL for In-Transit Data Encryption to Improve MySQL Security - DZone News