I was just using Sql Server Management Studio on my WiFi, and I was actually wondering how secure the traffic/database communication is. Is traffic from querying secure, or is it easily sniffed for passwords and sensitive data?
Asked
Active
Viewed 1.5k times
3 Answers
15
By default the database communications are unencrypted and vulnerable to sniffing. To utilize encryption, you need to configure the SQL server with a certificate and then configure the client to take advantage of it. There's a pretty simple walkthrough for the process here
gowenfawr
- 71,975
- 17
- 161
- 198
10
gowenfawr suggestion is partially wrong on this one. Your initially connection (username and password) to SQL Server may or may not pass your username in clear text. This can depend on what connection type you use (ODBC, OLE DB, etc). Your password is always passed in encrypted format by SQL Server. Now your data itself from the queries being passed will show up in clear text, by default.
I wrote up a tip on MSSQLTips.com about this and show the captures from Wireshark. Which it shows your username will be passed in clear text if you are using ODBC, but SSMS uses OLE DB and will not show your username.
To easily hide your data itself, you can just enable "Force Encryption" as I wrote about, and let it use the cert SQL Server generates. Although a stronger encryption would be accomplished using gowenfawr suggestion. You will want to read up on this as using this feature will deny connections to your applications in some circumstances.
2
Tunnel the SSMS connection through SSH. To specify a port in the SSMS connection string use comma + port. For example...
Without tunnel: "sql.northwind.com" (which is the same as sql.northwind.com,1433)
With tunnel: "localhost,1433"
Or if you need to change the source port (if you have SQL running on your local box): "localhost,50000" with the SSH tunnel forwarding to 1433/tcp on the remote end
Joe S.
- 21
- 1