Bug #74430 Bad security recommendation in docs
Submitted: 17 Oct 2014 13:19 Modified: 23 Oct 2014 14:52
Reporter: Andrew Hutchings Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[17 Oct 2014 13:19] Andrew Hutchings
Description:
https://dev.mysql.com/doc/refman/5.6/en/ssl-basics.html

"To improve security a little, you can compress client/server traffic by using the --compress option when invoking client programs. However, this does not foil a determined attacker."

This is not only wrong but very misleading for two reasons:

1. my kids could probably intercept and decode zlib encoded traffic
2. smaller packets (IIRC around 60 bytes or less) aren't compressed at all

How to repeat:
Get yourself hacked by using zlib for security.

Suggested fix:
Completely remove that part of the docs
[20 Oct 2014 8:13] MySQL Verification Team
Hello Andrew,

Thank you for report.

Thanks,
Umesh
[23 Oct 2014 14:52] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly.