Configuring MySQL SSL in Magento (to get your HIPAA auditor off your back)

I’ve been asked a few times now if there is a way to use encrypted MySQL connections in Magento. Most of the time it is when merchants are selling medical products and HIPAA requirements come into play. I am not an expert in HIPAA, nor do I want to be, but with the cost of vulnerabilities on the rise it made sense to at least look into it and get a good answer on how to do it.

Encrypted session handler

A little while ago I had come upon the problem of having to store sensitive data in a user session. The solution that I (and several others came upon) was creating a mechanism for storing encrypted data in a session. But what we wanted to do was build something that didn’t have a single point of failure. We also wanted to build something portable. What we built was a simple Zend Framework session handler for storing sensitive data.

Why you should be careful with phpinfo

I recently posted an image on why you shouldn’t put phpinfo() calls in your code.

There were a couple of comments from people asking “why not?”

Here’s why not.

Go to Google

Search for inurl:phpinfo

Check out the results

At the time of writing there were 4 pages on the first result page that were broadcasting their settings.

Here’s another fun one. Search for “inurl:phpinfo root”. Lots more.

There’s a bunch of information that you will see.