Date: 05/21/08 (MySQL Communtiy)    Keywords: mysql, sql, java, security, web

I'm wondering if anyone has any thoughts or pointers about this.

I am setting up a Java Web Start program that accesses a mySQL DB. The program was written a good while ago and was never meant to go outside the office. But now, of course, we want it to. :-)

The issue is...wait for it...security! mySQL, by default, does not have secure communications, although I am seeing that it can be set up to do SSL communications. Save for having to set up our mySQL server to handle that (Certificate administrators, etc.) and having to re-write sections of the Java program to handle the secure communications, that's all theoretically good.

However, I don't really need something that elaborate. Indeed, the data itself is public and does not need to be secured. What we are worried about is someone sniffing out the credentials to the mySQL DB. How can that be stopped?

In my research into this I came across an invokation flag to mySQL called --compress.

The Basic SSL Concepts section of the mySQL 5.0 Reference Manual says, "To improve security a little, you can compress client/server traffic by using the --compress option when invoking client programs. However, this does not foil a determined attacker."

This sounds perfect for me if such an invokation compresses (or otherwise hides) the credentials being used to access the DB? Does anyone know if it does?

So, in a larger sense, I guess I'm asking how you folks secure access to your mySQL DBs in any sort of public setting? Am I forced to set up the SSL solution and rewrite the Java program, or is there a more non-invasive way of doing this?

Thanks!

Source: http://community.livejournal.com/mysql/128489.html