MsSQL encrypted connection using SSL / TLS
Explanation
Application via the communication channel with the database server is not encrypted, which may cause significant security risks. In this case, the attacker can modify the data entered by the user, or even execute arbitrary SQL commands to the database server.
For example, when you use the following connection string, this risk may exist:
<connectionStrings> <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;" providerName="System.Data.SqlClient" /> </connectionStrings>
Enable SSL / TLS encrypted connections
Most database servers support the use of SSL / TLS to encrypt all data transmitted, you should use it as much as possible. Plus on your connection string Encrypt=True
can be. If your development environment is not a trusted certificate, plus TrustServerCertificate=True
to cancel verification certificate is trusted.
<connectionStrings> <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;Encrypt=True;" providerName="System.Data.SqlClient" /> </connectionStrings>
Related Links: https://docs.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption
Explanation
Application via the communication channel with the database server is not encrypted, which may cause significant security risks. In this case, the attacker can modify the data entered by the user, or even execute arbitrary SQL commands to the database server.
For example, when you use the following connection string, this risk may exist:
<connectionStrings> <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;" providerName="System.Data.SqlClient" /> </connectionStrings>
Enable SSL / TLS encrypted connections
Most database servers support the use of SSL / TLS to encrypt all data transmitted, you should use it as much as possible. Plus on your connection string Encrypt=True
can be. If your development environment is not a trusted certificate, plus TrustServerCertificate=True
to cancel verification certificate is trusted.
<connectionStrings> <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;Encrypt=True;" providerName="System.Data.SqlClient" /> </connectionStrings>
Related Links: https://docs.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption