SSL, mysql, HTTPsecuresocket

Hi all,
I have several questions relating to the security of data being passed between a desktop app and a mySql db.

I have developed a desktop app in realStudio 2012 r2.1. for PC at this stage

-The app checks with a mySql database located on my 123-reg vps for payments etc before it runs.

  • A registration procedure runs on installation again passing passwords and email addresses the mySql database located on the 123-reg VPS.
  • The customer can purchase bolt on functionality for the app via HTML viewer.
    My vps as it stands today is not secure in that I have not installed SSL.
    Everything works OK but am I right in thinking data being between my app and mySql located on the vps is not secure.
    I connect to mySql with the following code:

‘remoteDB = new MySQLCommunityServer
remoteDB.Host = kHost
remoteDB.UserName = kUser
remoteDB.Password = kPassword
remoteDB.Port = kPort
remoteDB.DatabaseName = kDBname
If remoteDB.Connect Then…’

I understand by adding
remoteDB.SSLMode = true this will enable my app to communicate with the mySql once the SSL has been setup on the vps.

do I need to specify ALL of these parameters?

  1. ssl certificate file
  2. ssl Key File
  3. ssl authority file
  4. ssl authority directory
    and would I be able to store these internally within the app rather than distributing the app with these stored as external files??

    My service provider says all I need to do is install SSL at the vps and my existing mySql will not need amending.

Any advice and feedback would be much appreciated…

And prepare a big fat check for Oracle when they decide to ask you to buy a commercial license :stuck_out_tongue:

  1. you should not have your db set directly exposed to the internet

  2. see step 1

Hi Norman
Whoa Sharp intake of breath…

I understood you need a commercial license if you want to modify MySQL and redistribute the result as non-Free software.
You need a commercial license if you want to embed MySQL within your non-Free program. (embed is not the same as “make a connection to.”)

Is this not the case??

this response is 100% my opinion and I am NOT a lawyer! so take it with a grain of salt.

this is a very grey area in the legal world and you are dealing with Oracle. Oracle is very restrictive on their views and it is always better to get a license then get hit by papers from their lawyers (and they have tons of them). If you ask Oracle, they would say yes of course you need a license and give them lots of your hard earned money as they feel they deserve it.

now are you connecting to an outside database? or truly embedding it in your app? the later would definitely need a license in my opinion (and probably Oracles). Former is more grey.

MySQL was much more reasonable (read flexible) before they were bought by Oracle. then it became more restrictive.

Now if you aren’t attached completely to MySQL databases (like your customer already has MySQL installed in their environment), I would ask you to consider PostgreSQL. Very similar to MySQL but 100% open source/free. No licensing. Now if you want a support contract with someone that can help fix issues (Tech Support), there are a few companies that can do that for you. All would probably be much cheaper than MySQL license from Oracle.

Up until recently I was a MySQL person but I have moved away from it where I can and to PostgreSQL as it has better licensing for my needs.

Thanks to you both now looking at postgre, cant afford the risk of having to purchase a commercial license due to the grey areas.

James, licensing issues aside the nature of your question remains the same. With PostgreSQL you need to configure the database server to use SSL. You will end up generating server/client SSL certificates. This gives you encrypted communications but also another authentication step. Even with a correct username/password without valid client certificates the database connection will not be accepted.

As for the debate about whether you should connect directly to MySQL or not - that depends a lot on your circumstances. I don’t believe I would allow any person on any machine with access to my program to hit my database server. However these database servers are very robust and not inherently any more insecure than your typical web server. So its debatable.

SSL is a must in this situation in my opinion.

Hi Phillip

Yes you do raise a very valid point,
I have been thinking about the connectivity issue and having an internal debate (in my head, the joys of working on my own) about whether my app should execute php scripts on the server for access to the database, rather than a direct connection.
I gather if the php scripts were ‘ionCubed’ it would make the hackers job a lot more difficult.

The security aspects of this project do concern me, with my lack of knowledge I can only hope to deter the de-motivated, lazy, hacker, with the minimum amount of security.

Thank you for your reply Phillip your comments have been very helpful

I am still a bit unsure about the SSL side of things,

Using PostgreSQLDatabase in ssl mode I am having to provide certificates and keys.

Surely If I was to distribute with my app the ssl certificate file, the ssl keyfile this would compromise security in some way?
Or not??

This is why my original question relates to how best store those variables.

Excuse my ignorance but I think like a lot of us the subject of security causes me confusion and stress…

ionCube would make it harder for hackers to steal your source code. If there is a bug in the code that responds to SQL requests then it will still be a bug regardless of the PHP interpreter details. My point is if the API is susceptible to SQL injection or something like that then the so-called hackers might have even more access then they otherwise would. Introducing an API is another failure and security point that needs to be reviewed.

You would distribute to your clients the client cert/key along with the CA cert. Those would “permit” client connections so long as the PostgreSQL server requires SSL and the client certs were signed by the same CA as the server certs. A valid username/password would still be valid.

Most importantly though it encrypts your communications.