How do I securely connect a vb.Net Windows Client application to a SQL server hosted on the Internet?

Posted on 2009-02-19
Medium Priority
Last Modified: 2012-05-06

I have a .Net Windows Client Application which usually runs on a corporate network connecting to SQL Server 2005. I use SQL authentication with a simple Connection String which I believe the .Net SQLClient sends the password to server in clear text as part fo the connection string.

One of my clients wants to host the application on a commercially hosted SQL server and connect to it over the Internet. I have told them that they will need a SSL certificate to be loaded and setup on the SQL server.

Assuming that the DB Server Administrator sets up the SSL certificate correctly; is it true that all I have to do in my application is add "encrypt=true" to the SQL Connection String?

Is this going to be reasonably secure enough to run over the internet?

Thanks in Advance

Question by:mj_stanton
  • 2
LVL 14

Accepted Solution

jjardine earned 2000 total points
ID: 23688571
Besides using IPSec I am not aware of any more secure methods for connecting to a hosted sql server.   Usually the hosts don't provide a lot of flexibility for specifying certificates for security so SSL is probably the only option.   SSL is going to be a pretty good way to hide the data.  Depending on the SQL server, you may be more concerned with the lack of lock out policies for people to try and brute force your credentials.  SSL will protect the data in transit just fine.

Author Comment

ID: 23688581
If I use SSL and "encrypt=true" in the connection string does that mean that the Username and password are not sent in plain text a cross the internet?
LVL 14

Assisted Solution

jjardine earned 2000 total points
ID: 23688601
I would say that the SSL connection is created before the login credentials are sent across the network, just like they would be for https.   You could verify this if you hooked up a packet sniffer to watch the traffic on the network (if you want to go that far).  I would think that no one would use SQL if it sent the credentials in cleartext no matter what security was used.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question