Reputation: 1002
Security of localhost connection
I realise that this may seem an odd question (and I apologise for asking what almost answers itself) however I was concerned after reading responses to other questions:
I have a php script which stores data in a localhost MYSQL database. Some of that information is sensitive and is encrypted using the MYSQL AES encryption function.
I read that MYSQL does not encrypt the data in its connections. This was mentioned in two recent replies that dealt with localhost connections, hence my concern.
I have always thought that as the data was being passed internally in the same computer, the risk of interception was zero. Is this not the case, then? should I be encrypting in PHP before storing the data?
I am using mysqli_*
Connection to the server is via SSL.
I currently use a shared virtual server though once development is complete I plan to move to a dedicated machine.
Please would an expert either put my mind at rest or tell me how I should be doing this.
Upvotes: 4
Views: 2806
Answers (1)
Reputation: 29769
As you have guessed, it is kind of pointless to use SSL for local connections. SSL's main purpose is to encrypt the channel so as to prevent man-in-the-middle-like attacks. But there can be no man in the middle in case of local connection. In you setup, I would recommend a connection through a local socket, and bypass the TCP layer altogether.
Now back to the question.
Should I be encrypting in PHP before storing the data?
No, if the database is on the same machine as the one that executes the script.
No, if the database is remote, and if the link is trusted (either you trust the link per se, or the link is secured eg. with SSL).
Yes, in all other situations.
In the latter case (untrusted link to a remote database), AES_ENCRYPT() is not suitable. The encryption/decryption process is done by MySQL. The data transits unencrypted between PHP and MySQL. Also, as one must pass an encryption key to MySQL's AES_ENCRYPT() and AES_DECRYPT(), this key will typically be sent unencrypted along with the rest of the SQL query.
Upvotes: 2
Related Questions
- Secure way to connect to a MySQL database
- How to secure a connection to a remote mysql database
- MySQL connection and security
- secure local mysql access
- Secure MYSQL connection details
- How to establish a secure connection with MySQL/PHP
- Using SSL to connect to mySQL from PHP
- Encrypted MySQL Connection using PHP
- php mysql_connect security
- Basic security, PHP mySQl