From 77162c3f8a474ca28fad0fbbbff75371241e10eb Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Mon, 18 Dec 2017 14:20:49 +0100
Subject: [PATCH] Wireshark hints
---
Doc/Sda1/jdbc.xml | 74 +++++++++++++++++++++++++++--------------------
1 file changed, 43 insertions(+), 31 deletions(-)
diff --git a/Doc/Sda1/jdbc.xml b/Doc/Sda1/jdbc.xml
index e68a84d07..0cfe4abcd 100644
--- a/Doc/Sda1/jdbc.xml
+++ b/Doc/Sda1/jdbc.xml
@@ -1665,21 +1665,11 @@ public someClass {
<para>Password?</para>
</figure>
- <para>Something seems to be missing here: The user's password. Our
- code in <xref linkend="sda1_fig_jdbcSimpleWrite"/> contains the
- password <quote><varname>XYZ</varname></quote> in clear text. But even
- using the search function of <productname
- xlink:href="https://www.wireshark.org">Wireshark</productname> does
- not show any such string within the above capture. The <productname
- xlink:href="https://www.mysql.com">Mysql</productname> documentation
- however <link
- xlink:href="https://dev.mysql.com/doc/refman/5.0/en/security-against-attack.html">reveals</link>
- that everything but the password is transmitted in clear text. So all
- we might identify is a hash of <code>XYZ</code>.</para>
-
<figure xml:id="sda1_jdbc_fig_jdbcMysqlSecurity">
<title><xref linkend="glo_Soft_Mysql"/> security</title>
+ <para>What about the missing password?</para>
+
<para><link
xlink:href="https://dev.mysql.com/doc/refman/5.7/en/security-against-attack.html">Making
MySQL Secure Against Attackers</link>:</para>
@@ -1700,26 +1690,48 @@ public someClass {
This typically comprises sensible data as well. Possible
solutions:</para>
- <itemizedlist>
- <listitem>
- <para>Create an encrypted tunnel between client and server like
- e.g. <link
- xlink:href="https://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html">ssh
- port forwarding</link> or <link
- xlink:href="https://en.wikipedia.org/wiki/Virtual_private_network">VPN</link>.</para>
- </listitem>
+ <figure xml:id="sda1_jdbc_fig_jdbcSecurityImpact">
+ <title><xref linkend="glo_Soft_Mysql"/> security</title>
- <listitem>
- <para>Many database vendors <link
- xlink:href="https://dev.mysql.com/doc/refman/5.1/de/connector-j-reference-using-ssl.html">supply
- SSL</link> or similar <trademark
- xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
- protocol encryption extensions. This requires additional
- configuration procedures like setting up server side certificates.
- Moreover similar to the http/https protocols encryption generally
- slows down data traffic.</para>
- </listitem>
- </itemizedlist>
+ <itemizedlist>
+ <listitem>
+ <para>Data exchange client to server nearly fully
+ disclosed.</para>
+ </listitem>
+
+ <listitem>
+ <para>Possible solutions:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Encrypted tunnel between client and server: like e.g.
+ <link
+ xlink:href="https://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html">ssh
+ port forwarding</link> or <link
+ xlink:href="https://en.wikipedia.org/wiki/Virtual_private_network">VPN</link>.</para>
+ </listitem>
+
+ <listitem>
+ <para>Many database vendors <link
+ xlink:href="https://dev.mysql.com/doc/refman/5.1/de/connector-j-reference-using-ssl.html">supply
+ SSL</link> or similar <trademark
+ xlink:href="https://en.wikipedia.org/wiki/Java_Database_Connectivity">JDBC</trademark>
+ protocol encryption extensions. This requires additional
+ configuration procedures like setting up server side
+ certificates. Moreover similar to the http/https protocols
+ encryption generally slows down data traffic.</para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+ </figure>
+
+ <para>Conclusion: <productname
+ xlink:href="https://www.mysql.com">Mysql</productname> mitigates the
+ attack type's severity</para>
+
+ <para>Solution: Use <xref linkend="glo_TLS"/> if driver
+ supported.</para>
<para>Of course this is only relevant if the transport layer is
considered to be insecure. If both server and client reside within the
--
GitLab