I'm developing a game coded in Flash AS3 and need to read/write info to an SQL server.
Currently, for testing purposes, I use ASQL which is very simple and robust, but it needs a direct connection from the client machine to the SQL server (port 3306 open and allowing wildcard username to connect from anywhere using a password) and the worse, the .swf format itself is not encrypted and a all decompilers will let you extract AS3 code, which means a password stored in code.
I have rounded up a few options but they all lack security measures:
AS3 code sending a POST req to a PHP page which connects to the MySQL server
Use amfphp, but the AMF protocol is still sniff-able
Keep current method and force users to have outgoing port 3306 open, which may confuse costumers.
Help/tips/discussion would be highly appreciated.
You can use HTTP(S) with authentication with e.g. PHP. Don't make the script a wrapper to the SQL connection, as this'd ruin the point of the script (essencially); have custom commands as the protocol (e.g. add/update high scores).
Depending on the number of commands needed I think you should choose option 1 (with only one or a few commands) or option 2 (if you have some more and complex commands to send). Don't open your database to the public internet.
What is the problem you are trying to solve/secure? If all your application (game) logic is at the client you cannot prevent people from faking results. The client is never to be trusted and no securing of the line (https or any other encryption of the communication) will help that -- that will only keep other people from eavesdropping.
If you are trying to secure the posting of high scores or game state - to my knowledge you can make it hard to fake them but you cannot make it impossible unless you move at least some game logic to the server.
Related
I want to build a VB.NET application that will connect to a MySQL database.
I was thinking of putting the MySQL password on the My.Setting file, but that's easy to read. Which would be the safest way to put the password on the program?
I don't want to ask for it on start-up, I want it to be embedded on the software, but WHERE?
Wellll..... If it's stored in an automatically program-readable format (aka, the user doesn't have to enter any kind of password or credential to enable the application to make use of said database password), then there isn't exactly a "safe" way since any kind of meaningful encryption requires that the user enter some credential to retrieve the encrypted information. You could store it in a module as Base64 text for obfuscation, but that's not really "safe." At all. It's just encoded differently (NOT encrypted).
The bigger question to me is, is the environment safe? On the back end of a website for example, the password for sql databases is usually stored in-the-clear in the php config files... but that's because the environment is secure: php source cannot be obtained by the public, and trusted users with access to the backend are assumed to be non-malicious.
So, that raises some questions:
Where is the application running from?
Where is the MySQL Database, local or remote?
How many people have access to this database or will be using this app?
These are all considerations that should be accounted for.
One other thing - if you're building a .NET application, there are certain .NET code-obfuscators out there that play with your compiled code to make it quite difficult to pillage once compiled. This may be of interest to you. I believe Dotfuscator ships standard with Visual Studio? You can register for a free account with them.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
In other applications I've written, I've had to add the database specifications (username, password etc) into profiles.clj. Should I create profiles.clj and add the location of my database there? And does this mean I have to update the project.clj as well?
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs.
I apologise if these questions are trivial but after reading the documentation several times I am still a little confused
re-frame is a framework for building client-side web applications. You won't be able to do generic database queries as most databases don't support direct access from a browser.
I'm having a problem with my re-frame application. I can't figure out how to connect it to a local database on my machine.
You probably need to create a middle API tier that accepts REST requests from re-frame, and queries the database, returning JSON back to the client.
Finally, do the queries to the database, such as GET and POST requests, go in db.cljs
Those are probably queries to your API tier? They can live anywhere that you would like.
One thing to clarify: re-frame has an app-db that it uses and refers to. This is a client-side database of local state that lives in your application. It doesn't have a connection to the backend, at least not without you writing more code for it. It sounds like you might be confusing these?
Is POST method inherently "secure" and if not, can it be easily made secure or should I use a different protocol entirely?
Please back your statements up with explanation or reference unless they are simply opinion.
The system:
.NET program collecting data with a QR scanner
a web server running CentOS 6
a database on the server to store scans in tables based on QR type.
not all QR types are known now so a new table is created when a new QR type is to be sent.
data needs to get from QR scanner to database as quickly as possible but assume connection is unreliable (think cell phone tethering)
Feel free to comment on my (incorrect?) assumptions about the validity of these other methods I've discounted.
opening a port for MySQL and pushing data in directly - makes IT people panic even if the user has very restricted privileges although I don't see how it's insecure. (also see comments on ssh + MySQL)
using ssh tunnel to insert to MySQL - it's quite conceivable that the database structure will change in the future and I want all the MySQL work done server side so it's easy to modify.
making my own listener on a port on the server and defining my own protocol - seemed daunting at first glance. I know C++/C/Python/PHP so I could do something like this if POST is bad and listener is easy. Don't know where to start or scope of this method.
Example of data packet to be sent. (This is what my .net DLL must receive from the previous person) [QRTypeVersion, HeaderLength, H1, H2, ... DataLength, D1, D2 ..., Comment]
Some good reads:
There are some really good comments about security.
Is either GET or POST more secure than the other?
how to secure POST method without using SSL?
How secure is a HTTP POST?
Hope this helps.
I just realized that there is no best way to hide MySQL string connection password in my executable file, especially in JAR file. Even encrypting it in EXE would only slow down the process (although I'm not sure how much time would it take to get an encrypted password from an EXE file).
So, from my understanding, I need something in the middle that would do the add, edit, delete etc to the database. Seems like a job for REST API or maybe SOAP services.
My question is, which one should I use? Or should I use something else? I was thinking Zend Framework to create those REST APIs. Then, I would use Qt to create a desktop application to call those APIs. But if I proceed with REST, my application would be a 3 tier application. Wouldn't it be better if I just create a web application? Maybe I should just stick to desktop application call those APIs since the application is already finished and I just need to change from connecting directly to MySQL to calling those APIs to perform tasks rather than changing the whole application to a web.
Any advice would be very helpful. Thanks in advance.
UPDATE:
I'm looking for a security that would protect my MySQL password connection.
Obfuscator would only obfuscate the code, it won't hide my string database information which In my opinion can be easily found using grep after decompiling the JAR using tools like JAD.
About my application:
Using a centralized MySQL database
Thousands of user
Contains sensitive information
My client uses Linux and Windows
My server uses Linux
All access are done in LAN, no outside connection (from Internet etc)
My current solutions (comments please):
Using REST APIs (safer since MySQL password is in the server)
Using Qt with encryption to the password
It depends on what kind of security are you looking for. Is this to protect the application from the user? To protect the user's data from other users? To protect multiple users' data from one another? To protect the user's data from an attacker?
In a lot of applications there's nothing wrong with storing the database login credentials in plain text. In other cases, you might try:
encrypting a user-chosen database password using a reasonably strong algorithm, e.g. Blowfish, using a hard-coded key;
having the user provide the password and "log in" to the program each time;
storing the database password in plain-text, but encrypt the data using a hard-coded key;
same as the above, but encrypt each user's data using their own provided password;
same as 2 but store each user's data in their own database with their login info as the database credentials;
storing the data on a secure remote database that users have to log into to access via a SOAP API;
using the native filesystem permissions to protect the configuration file holding the login credentials;
same as #1 but rolling your own really elaborate key-generation system: e.g. run the machine SID or a hardware id through MD5 using a randomly-generated salt, and then using the result to encrypt the login credentials.
Remember, there's no such thing as perfect security, so whatever you settle on doesn't need to be unbreakable. It just needs to be tough enough to break to make the hassle of circumventing the security mechanism exceed the value of the data. So, for example, if the data is a list of the top scores in Minesweeper, then ROT13 would probably be enough.
Edit:
I just want to add that, even if you can't get around having to hard-code an encryption key in your application, there are obfuscators for Java, .NET, and most other popular languages/frameworks. One of the key uses of these tools is to hide sensitive hard-coded strings like encryption keys.
Edit 2:
Given the additional details about the app in question, only 1, 6 and 8 would apply in this case. And a SOAP API is more appropriate for #6 as George rightly pointed out.
I also want to mention that there are Java resource obfuscators that encrypt string literals. This is just one example.
It pretty much depends in what environment your app runs
a) db and client local
b) db and client in a local network
c) db is in the internet
my two cents:
a) I would create a single db user and wouldn't use a password but restrict acces to localhost
b) direct connect to the database is fine but I would each user have to login with his own password and grant only the permissions he needs.
c) It's a bad idea to allow mysql connections to a public server. In this case webservices would be a good solution.
Anyway if your case is b or c I would stick with a login dialog for the user.
Maybe you should have a look at this http://www.greensql.net/ tool.
It is like a firewall but for mysql/postresql
So you can deny anything and only allow queries you want to.
If you are using Java for implementing your database desktop application, I would recommend to use Java DB as the database. There is a few ways of securing it, and there are alternatives to having a password in the connection string. I would recommend to read Java DB Security - Security Features in Java DB Release 10.4
It is easy to deploy your application with Java DB, since you can have much of it embedded in the same jar file. I have used it in a Point of Sale application implemented in Java.
I want to build a web based front-end to manage/administer my Linux box. E.g. I want to be able to add users, manage the file system and all those sorts of things. Think of it as a cPanel clone but more for system admin rather that web admin.
I was thinking about creating a service that runs on my box and that performs all the system levels tasks. This way I can have a clear separation between my web based front-end and the actual logic. The server pages can than make calls to my specialized server or queue tasks that way. However, I'm not sure if this would be the best way to go about this.
I guess another important question would be, how I would deal with security when building something like this?
PS: This just as a pet project and learning experience so I'm not interested in existing solutions that do a similar thing.
Have the specialized service daemon running as a distinct user -- let's call it 'managerd'. Set up your /etc/sudoers file so that 'managerd' can execute the various commands you want it to be able to run, as root, without a password.
Have the web server drop "trigger" files containing the commands to run in a directory that is mode '770' with a group that only the web server user and 'managerd' are members of. Make sure that 'managerd' verifies that the files have the correct ownership before executing the command.
Make sure that the web interface side is locked down -- run it over HTTPS only, require authentication, and if all possible, put in IP-specific ACLs, so that you can only access it from known locations, in advance.
Your solution seems like a very sensible solution to the 'root' issue.
Couple of suggestions:
Binding the 'specialised service' to localhost as well would help to guarantee that requests can't be made externally.
Checking request call functions that perform the actions and not directly give the service full unrestricted access. So calling a function "addToGroup(user,group)" instead of a generic "performAction(command)".