If run a Web application on a web server in one location and inside my php code I use OpenSSL to encrypt data, will the data be secured when transmitted to my SQL Server on my Server.
I am working on a Web application but it is being hosted on 3rd Party Web hosting Service but User Data is being Stored in SQL On my Personal Server. All Data will be encrypted Using OpenSSL on the web Server where web Server ask for the Users personal encryption key stored SQL One Time Per Session. I plan on Using a Second OpenSSL Encyption to Encrypt the User Encryption Keys. Users will also only be able to use the app via a Secured HTTPS Connection to Web Server.
I Just want to find out What I need to do to ensure User Data will be Secured to the Best of My Ablilities form mainly Man In Middle Attacks.
The Web Hosting Service is a Well Know Service with Secured Connections, I Will Have an upgraded SSL Certificate.
My SQL Server Will Only Except Connection from Web Server IP on a Non Standard SQL Port.
It sounds like you have the front-end encryption taken care of, but what you are asking about is the connection to the back-end, or your SQL server. You need to make sure that you are properly defining a secure connection as that is the default, BUT MySQL will drop down to an unsecured connection if there are any issues in that config (past auth, of course).
Here is a link to the MySQL doc page, https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html
You should be able to get some info there more specific to how you are trying to configure your connection string and user account.
-Tango
Related
I'm doing a website project in PHP, front/back-end from scratch, which will require secure database connections. I've set up my MySQL database with XAMPP, and have gotten an understanding on how to avoid SQL injections. As of now, when a user signs up to my website, I send them an auto-generated email with a link containing a GET request. This GET request contains non-sensitive information to validate the user to the database which I have managed successfully.
Now, I've learned that to increase security, I should use SSL/TLS encryption on all communications between server/client and this is where I'm confused. AFAIK PHP offers mysqli_ssl_set to establish an encrypted connection to MySQL. And MySQL can be configured to force only SSL/TLS connections (Please alert me if I'm wrong).
How do I make sure that my information sent to the client is SSL encrypted? I'm planning on moving my project to a hosting service. Will they provide the correct certificates needed to encrypt my information to the world wide web? On which subject do I need to further develop my understanding of these concepts?
Using the Arduino UNO and the ESP-8266, what are the security risks for connecting and uploading data directly from the Arduino? Instead of sending a POST request to a PHP web server with the data?
I know the PHP method is safer but I just want to know clearly what and how data is not safe that way.
I don't think web server is safer than a client application. Though you have https, a lot of database servers supports TLS too for communication, which is also safe.
But you will need to enable the encrypt feature in database server. For mysql, I think it is default to use TLS encryption so it is safe.
The differences need to be considered are:
API
direct db access: need to install DB access client software (api)
web: standard web access, no api installation required
DB exposure
direct db access: exposes db structure and authenticate. Something like user/password is stored locally on the pc and has risk of leaking.
web: only exposes limited information
server port exposure
Usually database port is only accessable in LAN. That means you can not use direct db access on WAN if the port is not open.
connection timespan
web access usually is state-less. That means one page a connection, and connection is closed as soon as page is loaded. direct db access will keep the db connection open throughout the application live period.
usually db connection count is limited. if client app is not well written it may use up all connectiions and make the database not accessible.
version control
web access: you only need to upgrade on the web server.
db access: you need to install new versions on each client pc.
performance
web access: slower than direct db access.
So if all your users are in a LAN and all pcs are trusted, I don't see a reason to introduce a web server.
I have a MySQL server installed on an Nginx server on Debian 8.
The production page on the server, say example.com has SSL installed in it.
This MySQL server will be used along with PHP to set and retrive data.
Now I am confused whether to add SSL for the connection between client and MySQL server? What is the best practice?
If the traffic runs through app to MySQL locally, your traffic is secure (as long as your linux server is secure).
You don't need ssl for MySQL to app if the app only accesses MySQL locally.
You need ssl if anyone will be accessing MySQL remotely or if your app server is remote.
You will need to worry about those two things the most.
Transport Security. Does MySQL traffic ever leave your local network? If so, is it encrypted during transmission? If you are doing everything locally, then you have nothing to worry about. If your database connection goes across internet, make sure to use SSL.
System Security. Is your MySQL server accessible from internet? Does it need to be? If not, just add rule into iptables to block all incoming traffic to 3306 that's not from localhost. Also make sure that you are using strong SSH passwords and implement fail2ban, or allow key based authentication only.
SSL is good to help protect your clients. Sniffing packets may be thwarted by SSL. For example, if someone does a credit transaction, the credit card data would not be in plain view, as the data moved between the client to the server. However, SSL is not a way to protected your SQL resources, which is backend between the web serer and SQL database server. You need to run "mysql_secure_installation" for a mysql database, and design you PHP code to prevent SQL injection issues, for example. So, yes, SSL is very important to protect your clients, but other design factors are needed to protect your backend server assets.
I need to make a secure connection using php to a remote mysql database. Do I need to install ssl certificates on both servers? Or just in the server where I have the mysql database?
It depends on what you want to secure.
If you want to secure the communication between the user-agent (browser) to your web server, you need to set up a certificate on the web server.
If you want to secure the communication between the web server (the DB client) and the MySQL server, you need to set up a certificate on the MySQL server.
In addition, you could make the MySQL client (your PHP script) use a client-certificate to authenticate to the MySQL server. This might not be necessary if MySQL username/password are considered enough.
The certificate resides only on the MYSQL server side if you want to connect from your script to the database. Your database server does not ever initiate connections with your web code, so the web side would not need a certificate for DB communication. If you want to secure the communication between the client browser all the way to the DB, then you need a certificate for the website for the client browser to consume.
I have following scenario:
The Android clients communicate with a PHP server via HTTP Post. The PHP server is communicating with mySQL database and sends the output as JSON to the Android client.
Now I am concerned that people sniffing the traffic, find out the URL and will post a lot of grap in my database.
I have no concern of sniffing the payload. So it does not necessarily be encrypted.
I was thinking of TLS/SSL which comes in mind because of the HTTP connection. But I am not sure what is the prefered way to go in this scenario.
What you want to do is employ mutually-authenticated SSL, so that your server will only accept incoming connections from your app and your app will only communicate with your server.
Here's the high-level approach. Create a self-signed server SSL certificate and deploy on your web server. You can use the keytool included with the Android SDK for this purpose. Then create a self-signed client and deploy that within your application in a custom keystore included in your application as a resource (keytool will generate this as well). Configure the server to require client-side SSL authentication and to only accept the client certificate you generated. Configure the client to use that client-side certificate to identify itself and only accept the one server-side certificate you installed on your server for that part of it.
If someone/something other than your app attempts to connect to your server, the SSL connection will not be created, as the server will reject incoming SSL connections that do not present the client certificate that you have included in your app.
A step-by-step for this is a much longer answer than is warranted here. I would suggest doing this in stages as there are resources on the web about how to deal with self-signed SSL certificate in Android, both server and client side. There is also a complete walk-through in my book, Application Security for the Android Platform, published by O'Reilly.
SSL won't help you, as the traffic can be sniffed before the data hits the wire, and people will STILL be able to figure out your API calls and fill the DB with crap.
You can "secure" the service with access tokens and username/password requirements. But again, they won't prevent a malicious user from flooding your system with bad data. However, it would let you track down WHICH user was doing so, as they'd have to be using a unique access token of some sort to get at your system.