SQL traffic shouldn't really run over anything but short LAN links. Ideally separated from other stuff entirely, but just not spewed over your whole LAN, and really not over the Internet at all.

TLS is good, yes, but unless you're also validating those certs they don't mean much. Client certs would be even better.

[–] pcn@lemmy.world 5 points 1 month ago

Some compliance measures (PCI DSS 4, HIPAA) mandate encryption in transit and none penalize it, so making any of that easier and less error-prone seems like a step in the right direction.

[–] otto@programming.dev 3 points 1 month ago

TLS is good *only' if you are also validating those certs. And that is what MariaDB 11.8 is now doing.

[–] moonpiedumplings@programming.dev 2 points 1 month ago* (last edited 1 month ago)

The cloud, and any form of managed database, inverts this. User accounts are extremely easy, as they are automatically provisioned with secrets you can easily rotate, along with the database itself. There is less of a worry about user rights as well, as you can dedicate one "instance" of a database to certain types of data, instead of having more than one database within one instance.

And then, traffic is commonly going to be routed through untrusted networks, hence the desire for encryption in transit.