THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Buck Woody

Carpe Datum!

SQL Azure - Requiring Encrypt=True

(Many thanks to Peter Gvozdjak and Dan Benediktson here at Microsoft who worked with me on this issue and provided the bulk of information for this post)

Recently I had a customer inquire about some performance tuning he wanted to do for SQL Azure, and as part of that he found that it was possible to remove the “Encrypt=True” setting on the ADO.NET connection to SQL Azure. We have always stated that the connections to SQL Azure are encrypted, so being able to remove this string surprised him. (More on that reference here: http://msdn.microsoft.com/en-us/library/windowsazure/ff394108.aspx)

It is true that all connections to SQL Azure are encrypted - whether you use the Encrypt=True string or not. We’ll force the connection to encrypt even if you don’t, or we won’t route it. However, you do want to use that string, for a couple of reasons.

Whenever you include the Encrypt=True string, the connection will require that your client validate the Certificate that SQL Azure presents, to ensure that key is the one used by Microsoft. If you don’t include that string, it’s possible - not probable, but possible - that someone could set up a false DNS to cause your certificate to be validated elsewhere.

So don’t give the bad guys a way in - there is no performance gain (other than perhaps if the bad DNS is in your own building!) by leaving it off. Follow the best practice of using Encrypt=True.

There’s more on connection management for things like retries and so on here: http://social.technet.microsoft.com/wiki/contents/articles/sql-azure-connection-management.aspx

Published Tuesday, March 06, 2012 6:43 AM by BuckWoody
Filed under: , ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

No Comments

Leave a Comment

(required) 
(required) 
Submit

About BuckWoody

http://buckwoody.com/BResume.html

This Blog

Syndication

Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement