Protecting the connection string in a .NET Winforms application?

2

I have a .NET Windows Forms application that connects to a SQL Server server directly, without the use of an intermediate layer like a WebService > or WebAPI , by SqlConnection . This application is installed on the client's computer while the server is available over the internet.

What is the best way, without changing the entire application, to prevent the connection string ( connection string ) from being snapped by sniffer WireShark running on the same network?

    
asked by anonymous 07.02.2014 / 18:47

3 answers

0

I have noticed that older versions of SQL, earlier than 2005 (specifically 2000) do not work with the encrypt=yes parameter in the connection string ( connection string ). I tried on another newer server and got the error:

  

provider: SSL provider, error: 0 - The certificate chain was   issued by an authority that is not trusted.

Then I found another parameter trustservercertificate=true that I added to my connection string and it worked. This parameter allows my client to accept a certificate issued by the server.

In tests that I did with WireShark I was unable to intercept either the connection string, the SQL statements, or the return data. The data now travels encrypted.

So the solution I found was to include this snippet at the end of the connection string:

encrypt=yes;trustservercertificate=true;
    
13.02.2014 / 20:13
2

According to this article in English , the SQL Server connection component will already encrypt the important parts of the connection string during the connection, such as the password and username ... unless you use ODBC.

Following a few links from this article, I found this MSDN article: Encrypting connections to SQL Server that shows how to force the use of SSL to encrypt ALL of the data traffic between the client and the SQL Server .

    
07.02.2014 / 19:20
1

The correct thing is that you do not have this connection of cliente -> banco and yes cliente -> webService (com autenticação) -> banco . As much as you try to do some encode / encryption in the string, all traffic between the client and the bank can be captured by the sniffer. Any select can be captured even if your application does not show this data they will come in traffic and can be captured without difficulty.

See:

Evenifyoutrytoimplementasecureconnection,thiscanbecircumventedwith sslstrip . It is easier to create a WebService and thus leave the communication with the bank isolated from the client.

    
07.02.2014 / 19:12