Securing MySQL With A Focus On SSL

Securing MySQL!
With a Focus on SSL
http://www.yassl.com (206) 369-4800
yaSSL (yet another SSL)
Founded: Location:
2004 Bozeman, MT Seattle, WA Portland, OR Open Source Embedded Security (for Applications, Devices, and the Cloud) - CyaSSL, yaSSL - yaSSL Embedded Web Server
Our Focus: Products:
Slide 2 / 69
Copyright 2012 yaSSL
Why is this Important?
Ivan Ristic: Internet SSL Survey 2010

http://www.ssllabs.com
Alexa Top 1M Sites

120,000 Use SSL (12%)
Alexa Top 1M Use SSL 12%
Slide 3 / 69
What are we going to talk about?
Part I: MySQL Security 1. Good Security Practices for MySQL Part II: SSL/TLS 1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison Part III: Additional Security Concerns 1. Data Storage and Encryption Part IV: Wrap-Up 1. Licensing
Slide 4 / 69
Part I
MySQL Security
MySQL Updates Account Passwords Test Databases mysqld Privileges
Slide 5 / 69
MySQL: Good Security Practices
Do we really need to secure our MySQL database?
YES!
MySQL is Susceptible to Many Attacks: - Basic Attacks (empty password, etc.) - SQL Injection Attacks - Known MySQL Bugs and Vulnerabilities
Slide 6 / 69

Keeping MySQL Up to Date
An easy way to stay better protected:

- New MySQL Patches, Bug Fixes, etc. - You should take advantage of updates
Slide 7 / 69

'MySQL' Vulnerabili1es By Year
cvedetails.com (nvd.nist.gov)
16 2000 14 2001 2002 11 10 9 8 7 6 5 3 6 6 2003 2004 2005 2006 2007 2008 2009 2010 2011
Slide 8 / 69
yaSSL Vulnerabilities affecting MySQL in the past: CVE-2005-3731 CVE-2008-0227 CVE-2008-0226 CVE-2009-4484 Certificate Chain Processing Denial of Service (crash) Allowed Execution of Arbitrary Code Allowed Execution of Arbitrary Code, Denial of Service Possible
Slide 9 / 69

Passwords: Root Accounts
They are empty by default
Quick Check: mysql -u root ("Welcome to the MySQL monitor" = Not Good)
shell> mysql -u root mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = 'root'; mysql> FLUSH PRIVILEGES;
Slide 10 / 69
Passwords: Anonymous Accounts

Assign passwords to anonymous accounts:
shell> mysql -u root -p Enter password: (enter root password here) mysql> UPDATE mysql.user SET Password = PASSWORD('newpwd') -> WHERE User = ''; mysql> FLUSH PRIVILEGES;
Or remove the accounts:

shell> mysql -u root -p Enter password: (enter root password here) mysql> DROP USER ''@'localhost'; mysql> DROP USER ''@'host_name';
Slide 11 / 69

Passwords: Strength is Key
Use strong passwords Combine letters and numbers mhallwltpic++ = "mary had a little lamb who liked to program in C++ uuidgen, pwgen tools
Slide 12 / 69

Securing Test Databases
By default, anyone can access test databases - Convenient for testing - not production
Delete databases or restrict privileges

shell> mysql -u root -p Enter password: (enter root password here) mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%'; mysql> FLUSH PRIVILEGES;
Slide 13 / 69

Securing mysqld
Don't run MySQL as root user
shell> mysqld --user=mysql
Disable Remote Access (--skip-networking)

- Only allows access from local machine
Slide 14 / 69

mysql_secure_installation script
Allows you to: Set a password for root account Remove root accounts that are accessible from outside of the local host Remove anonymous user accounts Remove the test database that can be accessed from all users Reload privilege tables so that above take effect
* Not available on Windows
Slide 15 / 69
Notes about Privileges

Don't grant all users PROCESS or SUPER privilege
Can see text of currently-executing queries ( SHOW processlist; )
Don't grant all users the FILE privilege

Enables reading/writing to file system wherever mysqld process has access
Slide 16 / 69

Additional Measures
These depend on your unique situation: Restrict access to log files
- Ensure only root and the mysqld user can access

log les
Restrict MySQL data directory access only to server account
Slide 17 / 69

Additional Measures
Add Application-specific Users
- Each user only has required privileges (Ex: Ruby/PHP/etc. Application)
Restrict where MySQL listens

- You might only need to listen on localhost --bind-address=127.0.0.1
Slide 18 / 69

Additional Measures
Can disable LOAD DATA LOCAL INFILE command
- Can allow reading of local files
Remove Content of MySQL History File

- All executed SQL commands are stored cat /dev/null > ~/.mysql_history
Slide 19 / 69
Part II
SSL / TLS
Overview X.509 CerRcates Handshake MySQL and SSL
Slide 20 / 69
SSL: What is it?
By default, MySQL uses unencrypted connections between the client and server!
Slide 21 / 69
SSL: What is it?
Enables secure client/server communication, including:
Privacy Authen1ca1on Integrity
+ Prevent eavesdropping + Prevent impersonaRon
+ Prevent modicaRon
Can be implemented on almost any operating system (or bare metal!)
Slide 22 / 69
SSL: Where does it fit?
- Layered between Transport and Application layers:
Protocols Secured by SSL/TLS
SSL Handshake Protocol
SSL Change Cipher Spec Protocol
SSL Alert Protocol
HTTP
LDAP, etc.
HTTP
SMTP, etc. Application Layer
SSL Record Layer TCP IP Network Access
Transport Layer Internet Layer Network Layer
Slide 23 / 69
SSL: Authentication
- Do you really know who youre communicating with?
Alice
Bob
Slide 24 / 69
SSL: Authentication
- Generate a key pair (private and public keys)
Private
Public
Public
Private
Alice
Bob
Slide 25 / 69
SSL: Authentication
- X.509 Certificate == Wrapper around public key
Private
X509 Cert
Public
Public
X509 Cert
Private
Alice
Bob
Slide 26 / 69
SSL: X.509 Certificates

X509 Cert
-----BEGIN CERTIFICATE-----! MIIEmDCCA4CgAwIBAgIJAIdKdb6RZtg9MA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD! VQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwG! A1UEChMFeWFTU0wxFDASBgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cu! eWFzc2wuY29tMR0wGwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTAeFw0xMTEw! MjQxODIxNTVaFw0xNDA3MjAxODIxNTVaMIGOMQswCQYDVQQGEwJVUzEPMA0GA1UE! CBMGT3JlZ29uMREwDwYDVQQHEwhQb3J0bGFuZDEOMAwGA1UEChMFeWFTU0wxFDAS! BgNVBAsTC1Byb2dyYW1taW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJ! KoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP! ADCCAQoCggEBAMMD0Sv+OaQyRTtTyIQrKnx0mr2qKlIHR9amNrIHMo7Quml7xsNE! ntSBSP0taKKLZ7uhdcg2LErSG/eLus8N+e/s8YEee5sDR5q/Zcx/ZSRppugUiVvk! NPfFsBST9Wd7Onp44QFWVpGmE0KN0jxAnEzv0YbfN1EbDKE79fGjSjXk4c6W3xt+! v06X0BDoqAgwga8gC0MUxXRntDKCb42GwohAmTaDuh5AciIX11JlJHOwzu8Zza7/! eGx7wBID1E5yDVBtO6M7o5lencjZDIWz2YrZVCbbbfqsu/8lTMTRefRx04ZAGBOw! Y7VyTjDEl4SGLVYv1xX3f8Cu9fxb5fuhutMCAwEAAaOB9jCB8zAdBgNVHQ4EFgQU! M9hFZtdohxh+VA1wJ5HHJteFZcAwgcMGA1UdIwSBuzCBuIAUM9hFZtdohxh+VA1w! J5HHJteFZcChgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24x! ETAPBgNVBAcTCFBvcnRsYW5kMQ4wDAYDVQQKEwV5YVNTTDEUMBIGA1UECxMLUHJv! Z3JhbW1pbmcxFjAUBgNVBAMTDXd3dy55YXNzbC5jb20xHTAbBgkqhkiG9w0BCQEW! DmluZm9AeWFzc2wuY29tggkAh0p1vpFm2D0wDAYDVR0TBAUwAwEB/zANBgkqhkiG! 9w0BAQUFAAOCAQEAHHxCgSmeIc/Q2MFUb8yuFAk4/2iYmpVTdhh75jB27CgNdafe! 4M2O1VUjakcrTo38fQaj2A+tXtYEyQAz+3cn07UDs3shdDELSq8tGrOTjszzXz2Q! P8zjVRmRe3gkLkoJuxhOYS2cxgqgNJGIcGs7SEe8eZSioE0yR1TCo9wu0lFMKTkR! /+IVXliXNvbpBgaGDo2dlQNysosZfOkUbqGIc2hYbXFewtXTE9Jf3uoDvuIAQOXO! /eaSMVfD67tmrMsvGvrgYqJH9JNDKktsXgov+efmSmOGsKwqoeu0W2fNMuS2EUua! cmYNokp2j/4ivIP927fVqe4FybFxfhsr4eOvwA==! -----END CERTIFICATE-----!
Slide 27 / 69
SSL: X.509 Certificates

X509 Cert
Certificate:! Data:! Version: 3 (0x2)! Serial Number:! 87:4a:75:be:91:66:d8:3d! Signature Algorithm: sha1WithRSAEncryption! Issuer: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Validity! Not Before: Oct 24 18:21:55 2011 GMT! Not After : Jul 20 18:21:55 2014 GMT! Subject: C=US, ST=Oregon, L=Portland, O=yaSSL, OU=Programming, CN=www.yassl.com/ emailAddress=info@yassl.com! Subject Public Key Info:! Public Key Algorithm: rsaEncryption! Public-Key: (2048 bit)! Modulus: 00:c3:03:d1:2b:fe:39:a4 ! ! ! Exponent: 65537 (0x10001)! X509v3 extensions:! X509v3 Subject Key Identifier: ! 33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! X509v3 Authority Key Identifier: ! keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0! DirName:/C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/ emailAddress=info@yassl.com! serial:87:4A:75:BE:91:66:D8:3D! ! X509v3 Basic Constraints: ! CA:TRUE! Signature Algorithm: sha1WithRSAEncryption! 1c:7c:42:81:29:9e:21:cf:d0:d8! Copyright 2012 yaSSL
Slide 28 / 69
SSL: Authentication
- Alice and Bob exchange CA-signed public keys
Private
X509 Cert
CA
Public
Public
X509 Cert
CA
Private
Alice
Bob
Slide 29 / 69
SSL: Authentication
- How do you get a CA-signed cert?
Buy
VeriSign, DigiCert, Comodo, etc. - Costs $$$ - Trusted
Create
Created yourself (self-sign) - Free! - Trusted (if you control both sides)
Slide 30 / 69
SSL: Encryption
- Uses a variety of encryption algorithms to secure data Hashing Func1ons Block and Stream Ciphers Public Key Op1ons MD4, MD5, SHA DES, 3DES, AES, ARC4 RSA, DSA, DSS
CIPHER SUITE
Slide 31 / 69
SSL: Encryption
- A common CIPHER SUITE is negotiated Protocol_keyexchange_WITH_bulkencrypRon_mode_messageauth SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Slide 32 / 69
SSL: Handshake
Client Server
Client Hello
Cryptographic Info (SSL version, supported ciphers, etc.)
2 3 Verify server cert, check crypto parameters
Server Hello
Cipher Suite Server Certicate Server Key Exchange (public key) ( Client Certicate Request ) Server Hello Done
Client Key Exchange

( Certicate Verify ) ( Client Certicate )
5 Verify client cert (if required)
Change Cipher Spec Client Finished
Change Cipher Spec Server Finished
Exchange Messages (Encrypted)
Slide 33 / 69
SSL: Where is it used?
SSL is Everywhere!
- Browsers - Email - Routers - Factory Automation - VoIP - Automobile Communications - Sensors - Smart Power Meters And much more!!
Slide 34 / 69
SSL: What does MySQL provide?
- Your system must support either OpenSSL or yaSSL - MySQL must be built with SSL support
Note: MySQL is bundled with yaSSL
Slide 35 / 69
MySQL: Is SSL Enabled?
Checking for SSL
Confirm that user in 'mysql' database includes SSL-related columns:

- Beginning with: ssl_, x509_
Check if binary is compiled with SSL support:

shell> mysqld --ssl --help 060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'
mysqld: Check for 'have_ssl' system variable
Slide 36 / 69
MySQL: Building with SSL
Configure MySQL to use the built-in SSL (yaSSL):

shell> cmake . -DWITH_SSL=bundled
-DWITH_SSL options:
no: yes: bundled: system: No SSL support (default) Use system SSL library if present, else bundled library SSL library bundled with MySQL (yaSSL) Use the system SSL library
** yaSSL on Unix requires /dev/urandom and /dev/random to be available
Slide 37 / 69
MySQL: Starting the Server
To allow client connections through SSL, start MySQL with the appropriate options:
shell> mysqld_safe --user=mysql \ --ssl-ca=ca-cert.pem \ --ssl-cert=server-cert.pem \ --ssl-key=server-key.pem
--ssl-ca: Identifies the certificate authority certificate --ssl-cert: identifies the server certificate (public key) --ssl-key: identifies the server private key
Slide 38 / 69
MySQL: Starting the Client
I. Account created with GRANT statement including REQUIRE_SSL:

shell> mysql -u user -p --ssl-ca=ca-cert.pem
II. Account created with REQUIRE_X509 in addition:

shell> mysql -u user -p --ssl-ca=ca-cert.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem
Slide 39 / 69
MySQL: SSL Options
Name have_openssl have_ssl skip-ssl ssl ssl-ca ssl-capath ssl-cert ssl-cipher ssl-key ssl-verify-server-cert
Cmd-Line Yes Yes Yes Yes Yes Yes Yes Yes
Op1on File System Var Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Var Scope Global Global Global Global Global Global Global
Dynamic No No No No No No No
hap://dev.mysql.com/doc/refman/5.5/en/ssl-opRons.html
Slide 40 / 69
MySQL: SSL Options
have_openssl have_ssl
YES = mysqld supports SSL connections DISABLED = server was compiled with SSL support, not enabled (--ssl-xxx)
Check: SHOW VARIABLES LIKE 'have%ssl';
Slide 41 / 69
MySQL: SSL Options
skip-ssl
Indicate that SSL should not be used Same as using --ssl=0
ssl
Server: Client: Specifies that the server permits SSL connections Permits a client to connect to server using SSL
Slide 42 / 69
MySQL: SSL Options
ssl-ca
The path to the file containing list of trusted CAs
ssl-capath
The path to a directory containing trusted CAs (PEM format) *NOTE: Only supported when using OpenSSL
Slide 43 / 69
MySQL: SSL Options
ssl-cert
Name of the SSL certificate to be used
ssl-cipher
A list of permissible ciphers to use for SSL --ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA_AES256-SHA:AES128-SHA
Slide 44 / 69
MySQL: SSL Options
ssl-key
Name of the SSL key file
ssl-verify-server-cert
- Clients only - Server's Common Name verified against server host name - Connection rejected if no match
Slide 45 / 69
SSL: Certificate Creation
A. Generating Certificates
1. Create CA certificate (private key, public cert) 2. Create server key 3. Create server certificate 4. Create client key 5. Create client certificate
Slide 46 / 69
Create CA certificate (private key, public cert)

shell> openssl genrsa 2048 > ca-key.pem shell> openssl req -new -x509 -nodes -days 1000 \ -key ca-key.pem > ca-cert.pem
Slide 47 / 69
Create server key and certificate

shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout server-key.pem > server-req.pem shell> openssl x509 -req -in server-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
Slide 48 / 69
Create client key and certificate

shell> openssl req -newkey rsa:2048 -days 1000 \ -nodes -keyout client-key.pem > client-req.pem shell> openssl x509 -req -in client-req.pem -days 1000 \ -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
Slide 49 / 69
Remove passphrase from client/server key:

shell> openssl rsa -in client-key.pem -out client-key.pem shell> openssl rsa -in server-key.pem -out server-key.pem
Slide 50 / 69
MySQL: SSL Performance
Test Machine MacBook Pro 2.33 GHz 2 GB 667 MHz DDR2 SDRAM Mac OS X 10.6.6 (Snow Leopard)
Slide 51 / 69
Footprint Size
Slide 52 / 69
MySQL Footprint Size

SSL vs. No SSL
SSL 300 No SSL
Command:
du -sh .
250
239
227
Result:
200
Size (Mb)
5.3% Difference
(12 Mb)
150
100
50
Slide 53 / 69
MySQL Footprint Comparison (Detail)

SSL vs. No SSL
SSL 100 90 80 70 86 79 No SSL
Command:
du -sh *
Size (Mb)
60 50 40 30 20 10 0 bin lib 13 9.2
Slide 54 / 69
Average Query Times

(SELECT Queries, sysbench)
Slide 55 / 69

MySQL Average SELECT Query Times
No SSL vs. SSL 100,000 Requests sysbench
3.5
Average Query Time (ms)
2.5
2 No SSL SSL
1.5
0.5
0 0 5 10 15 20 25 30 35 Concurrency (# of Client Connec1ons)
Slide 56 / 69

MySQL Average SELECT Query Times (ms)
No SSL vs. SSL 100,000 Requests sysbench No SSL SSL
3.32
2.67
1.62 1.33 0.76
0.65 0.1 1 0.14 0.1 2 0.14 0.21 4 0.29
16
32
Concurrency (# of Client Connec1ons)
Slide 57 / 69

MySQL Average SELECT Query Times
No SSL vs. SSL 100,000 Requests sysbench
0.8 0.7 0.65
0.76
Average Query Time (ms)
0.6 0.5 0.4 0.3 0.2 0.1 0
16.9% Dierence (0.11 ms)
Client Concurrency = 8
No SSL SSL
Slide 58 / 69
Part III
Additional Security Concerns
Data EncrypRon
Slide 59 / 69
Data Storage and Encryption

Client Side Encryption
Encrypt data in code before it is passed to MySQL Many encryption modules available (PHP, Perl, etc.)
Advantages Data encrypted between code & MySQL Allows the use of bin logging (MySQL backup/replication) Disadvantages What to do with the key?
Slide 60 / 69

Server Side Encryption
AES_ENCRYPT(), AES_DECRYPT() functions - AES-128 Default - AES-256 w/ source-code change Entire Disk Encryption
Transparent Data Encryption (Gazzang ezNcrypt)
Slide 61 / 69
Gazzang ezNcrypt
ezNcrypt sits between your storage engine and le system to encrypt your data before it hits the disk. TradiRonally called - Transparent Data EncrypRon (TDE) The data is encrypted transparently, no changes are needed to your applicaRon, code or MySQL.
Applica1on SQL insert into orders (number, credit card,.) Values (20090101,4307,)
Table Orders 20090101,4307
File System orders.myd 9f7c7d77a87 7fg8e78s09ab
Slide 62 / 69
Gazzang ezNcrypt
Gazzang Key Storage System (KSS)
Slide 63 / 69

Server Side Encryption
Advantages: Data is stored encrypted Easy to use Disadvantages: bin logging (all queries are shown in plain text)
Exception: Gazzang can protect the bin logs
What to do with the key?
Slide 64 / 69
Part IV
Wrap-Up
Licensing Concerns About yaSSL
Slide 65 / 69
Licensing Concerns
yaSSL vs. OpenSSL

- - - OpenSSL uses BSD-style license with announcement clause Makes it incompatible with GPL yaSSL = dual licensed (GPL, Commercial)
Slide 66 / 69
What did we cover?
Part I: MySQL Security 1. Good Security Practices for MySQL Part II: SSL/TLS 1. Overview of SSL and TLS 2. Configuring and Building MySQL with SSL 3. MySQL SSL Command Options 4. SSL Certificate Creation 5. Performance Comparison Part III: Additional Security Concerns 1. Data Storage and Encryption
Slide 67 / 69
Thanks!
http://www.yassl.com

Email: info@yassl.com Phone: (206) 369-4800
Slide 68 / 69
Helpful Sources
MySQL Manual: http://dev.mysql.com/doc/refman/5.5/en/ http://dev.mysql.com/doc/refman/5.5/en/default-privileges.html http://dev.mysql.com/doc/refman/5.5/en/mysql-secure-installation.html http://dev.mysql.com/doc/refman/5.5/en/secure-connections.html http://dev.mysql.com/doc/refman/5.5/en/security-against-attack.html MySQL Security Resources around the Internet http://www.symantec.com/connect/articles/secure-mysql-database-design SSL/TLS https://www.ssllabs.com/ http://en.wikipedia.org/wiki/Transport_Layer_Security
Slide 69 / 69

Securing MySQL With A Focus On SSL

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Securing MySQL With A Focus On SSL

Hochgeladen von

Copyright:

Verfügbare Formate

Securing MySQL!

With a Focus on SSL

http://www.yassl.com (206) 369-4800

yaSSL (yet another SSL)

Our Focus: Products:

Copyright 2012 yaSSL

Why is this Important?

Ivan Ristic: Internet SSL Survey 2010

Alexa Top 1M Sites

Alexa Top 1M Use SSL 12%

Copyright 2012 yaSSL

What are we going to talk about?

Copyright 2012 yaSSL

MySQL Updates Account Passwords Test Databases mysqld Privileges

Copyright 2012 yaSSL

MySQL: Good Security Practices

Do we really need to secure our MySQL database?

Copyright 2012 yaSSL

MySQL: Good Security Practices

An easy way to stay better protected:

Copyright 2012 yaSSL

MySQL: Good Security Practices

Copyright 2012 yaSSL

MySQL: Good Security Practices

Copyright 2012 yaSSL

MySQL: Good Security Practices

Copyright 2012 yaSSL

MySQL: Good Security Practices

Passwords: Anonymous Accounts

Or remove the accounts:

Copyright 2012 yaSSL

MySQL: Good Security Practices

Copyright 2012 yaSSL

MySQL: Good Security Practices

Delete databases or restrict privileges

Copyright 2012 yaSSL

MySQL: Good Security Practices

Disable Remote Access (--skip-networking)

Copyright 2012 yaSSL

MySQL: Good Security Practices

* Not available on Windows

Copyright 2012 yaSSL

MySQL: Good Security Practices

Notes about Privileges

Don't grant all users the FILE privilege

Copyright 2012 yaSSL

MySQL: Good Security Practices

Restrict MySQL data directory access only to server account

Copyright 2012 yaSSL

MySQL: Good Security Practices

Restrict where MySQL listens

Copyright 2012 yaSSL

MySQL: Good Security Practices

Remove Content of MySQL History File

Copyright 2012 yaSSL

Overview X.509 CerRcates Handshake MySQL and SSL

Copyright 2012 yaSSL

SSL: What is it?

Copyright 2012 yaSSL

SSL: What is it?

Enables secure client/server communication, including:

Privacy Authen1ca1on Integrity

+ Prevent eavesdropping + Prevent impersonaRon