In my previous blogs I told you to enable SSL/TLS and force the
connection to be secured. So I followed my advice and did forced
SSL. Great!
So now everything is 100% secure isn't it?
No it isn't and I would never claim anything to be 100% secure.
There are important differences in the SSL/TLS implementations of
browers and the implementation in MySQL. One of these differences
is that your browser has a trust store with a large set of
trusted certificate authorities. If the website you visit has SSL
enabled then your browser will check if the certificate it
presents is signed by a trusted CA. MySQL doesn't use a list of
trusted CA's, and this makes sense for many setups.
The key difference is that a website has clients (browsers) which
are not managed by the same organization. And for MySQL
connections the set of clients is often much smaller are more or
less managed by one organization. Adding a CA for a set of …
[Read more]