The Grumpy Troll

Ramblings of a grumpy troll.

MySQL Security

When deciding what to do about security of a product, it's important to think about your threat model. What are you defending against? Failure to do this can lead to situations that are most politely described as ‟silly”.

For instance, let's say you want to support SSL connections between your client and your server. The client sets the connection up and can identify the server by the certificate presented, which includes a verified hostname. What do you do if you can't verify the server hostname? (Perhaps you don't trust the Certificate Authority used.) Continuing with SSL unverified is Bad Security.

The two common solutions are to refuse to continue, or to throw up a warning, which people ignore. So the most common solution is probably to refuse to continue with SSL. But what happens when you fail to understand why you're doing this?

You end up with the Cargo Cult solution, applied by MySQL: silently fail the SSL connection, then proceed with a plaintext connection.


So, ‟you don't let us verify you, so we won't trust you, so we'll drop the confidentiality layer and then trust you anyway, with never an explanation as to why”.


[My last couple of posts have been rather long, so I dug out an old issue which is short; I did the MySQL setup in 2005, they might have fixed things since then, I don't know as I haven't touched MySQL in years]

-The Grumpy Troll

[Edit:] PS: Oh, and all done silently, so that you need to use \s in the MySQL client to even see that SSL is not enabled after all.

# Server /etc/my.cnf
[mysqld]
ssl-capath=/etc/ssl/certs/
ssl-cert=/etc/ssl/mysql/mysql-server-crt.pem
ssl-key=/etc/ssl/mysql/mysql-server-key.pem

# Client /etc/my.cnf:
[client]
host=server.host.name.example.org
secure-auth
ssl
ssl-capath=/etc/ssl/certs/

Comments

RogerBW
It continues to puzzle me that people use MySQL - as with sendmail, I don't believe it has any role in new projects or installations.

For "I'd like to use flat files but my dataset is too large", SQLite does what's needed. For "I want a real database", Postgres is faster than MySQL in any mode other than as a front-end to a glorified flat file structure. MySQL occupies the shrinking gap used by people who want speed _or_ data integrity. And how long is it going to last now that it's owned by Oracle? (Some commercial MySQL users have already had invitations to "upgrade" to Oracle.) Yeah, there are forks...

http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html contains this gem:
TRADITIONAL: Make MySQL behave like a "traditional" SQL database system. A simple description of this mode is "give an error instead of a warning" when inserting an incorrect value into a column.
Categories: mysql ssl cargo cult security