Why do I need Secure Sockets Layer (SSL) when connecting to SQL Server?

Secure Sockets Layer (SSL) secures data transmitted across the network between your application and SQL Server database. SSL does this by preventing data from being read by unintended recipients and ensuring that data has not been modified during transmission.

The SQL Server ODBC driver has built-in support for SSL, which:

  • Protects the privacy of your data without the need for third party encryption products or SSH tunnelling.
  • Gives you control over the trade-off between security level and performance by letting you specify the encryption strength.
  • Prevents a weakness inherent in SQL Server authentication from being exploited by encrypting the SQL Server login ID and password as they are passed over the network.
  • Reduces administration overhead:
    • You can encrypt and preserve the integrity of SQL Server data without having to install an SSL certificate.
    • You can centralise SQL Server security policy by letting SQL Server decide whether incoming client connections should be encrypted. (Alternatively, the driver can request encryption if the decision to encrypt needs to be made on a per-client basis.)

To illustrate how SSL safeguards data privacy through encryption, this packet sniffer output shows unencrypted SQL Server data captured as it was transmitted across the network. (A packet sniffer is a diagnostic tool used for monitoring network traffic that can be exploited by attackers.)

8.E.m.p.l.o.y.e

 e.I.D.......=.R

 a.t.e.C.h.a.n.g

 e.D.a.t.e......

 <.R.a.t.e......

 0.P.a.y.F.r.e.q

 u.e.n.c.y......

 =.M.o.d.i.f.i.e

 d.D.a.t.e......

This potentially sensitive information has been captured in plain text by the sniffer.

The SQL Server ODBC driver was then used to encrypt the data. This packet sniffer output now shows the encrypted data.

.E..{i.2.8.G.q..

 .n..{X.... 4..O.

 &....Lt..Z.wrH.8

 .W..{..........,

 ....1s_..).\k.6.

 ..4U..4..D...5.U

 &...I......+..w.

 l.W...&}x.......

 ....%......7...J

 ..C$...,j..52.~.

 .w. Q.qE.Q....]4

 .\.Y?...|R.VOr.S

 .....K.W.. 2.#.T

 .G..+..F.....T..

 @"..+-.......

The data is now unreadable.