Since 5.0, MySQL does allow natively encrypted connections to the database, and supposedly also does support client certs for user authentication. Supposedly, because I never tried.
MySQL as a database performs well with transient connections as they are prevalent in two-tier deployments (mod_php, mod_perl, mod_python to database), in which a database connection is made upon web request, and the connection is torn down at the end of the request. This model does not scale so well with encryption in the mix, as on connection a full TLS/SSL exchange must be made.
The talk given by Rasmus Lerdorf starts out with Postgres, and then switches to MySQL, but the big gain at the beginning is really from dropping the TLS/SSL connection establishment overhead, not from anything else. It would be the same, no matter what database is doing the work behind that channel.
For customers who had the need of talking to the database on a secure channel, I always recommended a VPN tunnel such as IPsec, openvpn or similar, and then connecting in clear through it. This not only avoids connection establishment/teardown overhead, but also secures all other administrative communication to the server that will happen, but typically does not use the MySQL protocol (such as backups, bulk downloads of dumps and other traffic).
Daniël van Eeden has been less lazy than me:
- Network attacks on MySQL, Part 1: Unencrypted connections This article demonstrates why you would want to encrypt your connections, and how you could use a protocol sniffer to escalate privileges on a database by extracting passwords from a TCP dump.
- Network attacks on MySQL, Part 2: SSL stripping with MySQL Here Daniël actually tries to use TLS/SSL with MySQL, and is in for a bunch of surprises, because he still can downgrade the connection to plain.
In conversation with Daniël I learned a few more things. For example, I always thought that community MySQL is linked against OpenSSL, and Enterprise MySQL uses YaSSL for license reasons, but that is a) wrong and b) a problem.
OTOH, Daniël pointed out that current versions of xtrabackup seem to be linked against OpenSSL, which would have to be changed (or the license situation cleared up otherwise).
So – it’s complicated already at the organisational and licensing level, before you even start to dive into the tech specifics.
Anyway, Daniël is planning more articles about MySQL and encryption in his blog, so if you aren’t subscribed, do it now.