On Tue, May 22, 2001 at 12:51:50AM +0000, [EMAIL PROTECTED] wrote:
> I know this has been discussed a lot. I did read the mail archive and
> found lots of interesting info. Although I have a problem. We're developing
> a windows software that has to exchange sensitive data with a mySQL server.
> I read about implementing a SSH tunnel. It works well, although I have not
> found a free ssh client for windows. Even if I did, it would not be really
> helpful as we don't want to explain to our users they have to "install a
> third party software that does IP tunneling in order to transmit data
> securely". Any suggestions?
>
> Even if SSL support was added to mySQL, I guess I'd still have to wait
> for SSL support in the client libs we use on windows (ZeosLib)...
Hmm. If you want encryption, somebody has to add it at some point in time...
For free SSH clients: you may find links via http://www.openssh.com/
The problem with SSH tunneling is that you need an account on the target
machine to open the SSH connection. It has the advantage that once the
connection has been established, no further overhead is added (except
the actual encryption/decryption).
For SSL: if you don't integrate SSL into your product, you can use the
stunnel software (http://www.stunnel.org) to tunnel your connections.
This works without accounts on the target machines. You may see a significant
performance impact, as each new SSL connection requires a cryptograpic
handshake. (Every time a connection to the database is opened. If you
open it once and leave it open, that's fine. If you are using
open-transaction-close cycles, its horrible. In the long run for a
complete integration this problem can be tackled with session caching
but it is not available for an stunnel solution, AFAIK.)
http://www.stunnel.org/examples/mysql.html
> I am ready to encrypt every sensitive fields in the database, although I
> am wondering if the username and password will be transferred in plain
> text. I've seen somewhere that it isn't, but what kind of
> security/encryption is used and can we consider it safe?
Both the designers of the SSH and the TLS/SSL protocols have spent
a considerable amount of time to design the protocols to be secure
and tamper proof (think of man-in-the-middle attacks) when correctly
used and it took more than one iteration to bring it to the state it is now.
I would therefore recommend to stay with these solutions.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
