MySQL Sanity check

[Bob Hollness]

OK. The below text is from the MySQL website.

"When you connect to a MySQL server, you should use a password. The password
is not transmitted in clear text over the connection. Password handling
during the client connection sequence was upgraded in MySQL 4.1.1 to be very
secure"

Has anyone actually tested this by "sniffing" their packets during use?
Also, does anybody know if this applies when using VB to connect using the
connection string?

This may be totally obvious but I was just looking for a 2nd opinion. I
have not yet "sniffed" my own packets yet as currently, my DB server is
deader than dead.

 

[Lucas Tam]

OK. The below text is from the MySQL website.

"When you connect to a MySQL server, you should use a password. The
password is not transmitted in clear text over the connection.
Password handling during the client connection sequence was upgraded
in MySQL 4.1.1 to be very secure"

The reason why MySQL recommends a passport because by default I believe
there is no password set (or a very basic password). MySQL is typically
setup to use hostname filters instead of passwords.

Has anyone actually tested this by "sniffing" their packets during
use? Also, does anybody know if this applies when using VB to connect
using the connection string?

MySQL stores their passwords as hashes, so it's impossible to retrieve the
original password. I haven't sniffed MySQL packets before, but I believe
they send a password hash rather than a clear text password.

In anycase, I haven't heard of a MySQL vulnerability lately... so if your
MySQL server is dead, could be a configuration issue on your side.

 

[Bob Hollness]

Thanks. I am connecting to my server over the internet and it will not
always be from the same machine. this is why I am using passwords. My
server is only dead because i broke it trying to upgrade something!

The question i wanted clarifying was this. Is my connection string that I
generate in code using VB, handing over the internet as plain text or does
it interface with the local MySQL dll's that you have to install, and then
do they in turn check the password securely?

 

[Lucas Tam]

The question i wanted clarifying was this. Is my connection string
that I generate in code using VB, handing over the internet as plain
text or does it interface with the local MySQL dll's that you have to
install, and then do they in turn check the password securely?

The connection string is assigned to your MySQL .NET Database Classes
right? In that case, the connection string is passed to the MySQL.NET DLLs,
encrypted, then sent over the internet.

I'm pretty sure the text is encrypted (or at least Hashed). You can verify
this by running a packet sniffer.

If you need a free sniffer, check out Ethereal. It's very easy to setup and
you can start sniffing your packets in ~5 minutes! : )

 

[Bob Hollness]

This is my connection string. Is this what you was referring to?


MAConn.CursorLocation = ADODB.CursorLocationEnum.adUseServer
MAConn.ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" _
& "SERVER=IPADDRESS;" _
& "PORT=3306;" _
& "DATABASE=MyDB;" _
& "UID=" & "testuser" & ";" _
& "PWD=" & "123abc" & ";" _
& "OPTION=" & 1 + 2 + 8 + 32 + 2048 + 16384

MAConn.Open()

Thanks for the help. I am not yet using the .NET connecter from MySQL,
still using the ODBC dll's.

 

[Lucas Tam]

This is my connection string. Is this what you was referring to?


MAConn.CursorLocation = ADODB.CursorLocationEnum.adUseServer
MAConn.ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver};" _
& "SERVER=IPADDRESS;" _
& "PORT=3306;" _
& "DATABASE=MyDB;" _
& "UID=" & "testuser" & ";" _
& "PWD=" & "123abc" & ";" _
& "OPTION=" & 1 + 2 + 8 + 32 + 2048 + 16384

MAConn.Open()

Thanks for the help. I am not yet using the .NET connecter from MySQL,
still using the ODBC dll's.

Yes, that's the connection string I'm referring to. The ODBC DLLs parse the
string out and populate connection parameters... so I'm 95% sure that the
username/password is not sent as clear text.

 

[Bob Hollness]

excellent. thanks for you help. hopefully i will have my server working
again today so i can sniff the packets.

 

[Jerry H.]

"I picked a bad day to stop sniffing packets"

Seriously, I was wondering about this same thing also, as I'll be
upgrading my home server from MySQL 3.23. to 4.1.1 in the near future.

 

[Lucas Tam]

"I picked a bad day to stop sniffing packets"

Seriously, I was wondering about this same thing also, as I'll be
upgrading my home server from MySQL 3.23. to 4.1.1 in the near future.

FYI:

http://dev.mysql.com/doc/mysql/en/Security_against_attack.html

 

[Bob Hollness]

OK. And the results are.....

The initial connection is encrypted, but EVERYTHING else after that is sent
as plain text. So, if you ever do any administration, make sure you do it
via SSH as otherwise if you create a user, the password is sent as text for
all to see!

 

[Lucas Tam]

The initial connection is encrypted, but EVERYTHING else after that is
sent as plain text. So, if you ever do any administration, make sure
you do it via SSH as otherwise if you create a user, the password is
sent as text for all to see!

Yup, that's exactly what the docs say : )