Connection String security question #1082

EugenM88 · 2021-11-13T16:35:05Z

EugenM88
Nov 13, 2021

Greetings everyone, ive been always wondering about a specific question that i always had and never was able to answear that for myself, please forgive me if this question might be weird and completely nonsensical, i've always used mysqlconnector to connect directly to a database but only with VPN inside of a VLAN, however as we all know, encrypting everything through a VPN is very heavy on internet and very slow.

Ive been wondering how safe would it be to use mysqlconnector to connect directly to our database if made public without VLAN or VPN?

My worries are, if someone tries to packet sniff our laptop wifi, would they find out the connection string username or password? Is it safe or unsafe to use this connector in lets say an public restaurant Wifi?

What extra steps should i take in this specific scenario?

Thank you very much for all your help in advance!

Answered by bgrainger

Nov 13, 2021

The password is never sent over the wire in plain text. (The user name may be.)

MySQL implements different "authentication plugins" that handle hashing/encrypting the password for transmission.

mysql_clear_password - this does send the password in clear text, but MySqlConnector will refuse to do that unless the session is already encrypted with TLS
mysql_native_password - probably the most common password hashing scheme; the password is hashed twice with SHA-1 and a random challenge sent from the server. Due to the use of SHA-1, this is now considered "weak", but I'm not aware of any attacks against it
caching_sha2_password - an updated version of the above that uses SHA-256 to be more s…

View full answer

bgrainger · 2021-11-13T16:53:06Z

bgrainger
Nov 13, 2021
Maintainer

The password is never sent over the wire in plain text. (The user name may be.)

MySQL implements different "authentication plugins" that handle hashing/encrypting the password for transmission.

mysql_clear_password - this does send the password in clear text, but MySqlConnector will refuse to do that unless the session is already encrypted with TLS
mysql_native_password - probably the most common password hashing scheme; the password is hashed twice with SHA-1 and a random challenge sent from the server. Due to the use of SHA-1, this is now considered "weak", but I'm not aware of any attacks against it
caching_sha2_password - an updated version of the above that uses SHA-256 to be more secure

That just protects the password, though. All future communication (e.g., data sent to/from the database) will be in plain text and could be eavesdropped on.

To fix that, MySqlConnector (and MySQL Server) support TLS for client/server communications. You can ensure this is used by adding SslMode = Required; to your connection string. With that setting, MySqlConnector will refuse to connect unless it can establish an encrypted connection. You can also use client and server certificates to verify that you're talking to the correct server and not vulnerable to a MITM attack.

1 reply

EugenM88 Nov 13, 2021
Author

Thank you very much for your excelent explanation!
I always tought encription between mysqlconnector and database was a paid feature, turns out i was wrong.

Thank you again!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Connection String security question #1082

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Connection String security question #1082

EugenM88 Nov 13, 2021

Replies: 1 comment · 1 reply

bgrainger Nov 13, 2021 Maintainer

EugenM88 Nov 13, 2021 Author

EugenM88
Nov 13, 2021

Replies: 1 comment 1 reply

bgrainger
Nov 13, 2021
Maintainer

EugenM88 Nov 13, 2021
Author