Are SQL Server connections encrypted?

Question

I am writing a small desktop application and was wondering what the security concerns would be when connecting to a hosted database that is currently used for a website. Specifically, I would like to know if SQL Server connections are encrypted and if it is safe to connect to a hosted (by a web hosting company) database from a local application.

Thank you

JP

Answer 1

See MSDN's Encrypting Connections to SQL Server. The short answer is that SSL encryption can be configured.

The long answer is that it will depend on your hosting. First of all, I doubt your hosting will allow the SQL Server to be exposed over the internet. Second, if it does, since SQL Server has no concept of virtual host, the instance will be shared with anyone and the name you connect to will the the hosting box name. They have to install an SSL certificate with proper subject for the hostname to be used by SQL Server and properly configure the instance to use this certificate (all details in the link above).

If SQL Server is not configured to use a properly named certificate, then a self-signed certificate will be used instead. Then the client has to be configured to trust any certificate the server provides, meaning the connection from client to your database is no longer secure: An attacker can mount a man-in-the-middle attack with relative ease.

You have to contact your provider and get all these details to understand your situation. Most likely you'll have to expose the database over a set of web services and protect the web services with HTTPS. (This would be better anyway. If nothing else, then at least because it does not require exposing the SQL Server port to the net).