5

Is it secure to have data be sent to free database at mongolab from heroku app.

Data could be like emails, and preferences.

Or do you need ssl, i've read about mongodb ssl.

I've asked around but couldn't find anything specific to mongolab.

Muhammad Umer
  • 17,263
  • 19
  • 97
  • 168

2 Answers2

4

From MongoLab's documentation:

Securing communications to your database

You should always try to place your application infrastructure and your database in the same local network (i.e., datacenter / cloud region), as it will be the most secure method of deployment and will minimize latency between your application and database.

When you connect to your MongoLab database from within the same datacenter/region, you communicate over your cloud hosting provider’s internal network. All of our cloud hosting providers provide a good deal of network security infrastructure to isolate tenants. The hypervisors used do not allow VMs to read network traffic addressed to other VMs and so no other tenant can “sniff” your traffic.

However, when you connect to your MongoLab database from a different datacenter/region, your communications are less secure. While your database does require username / password authentication (with credentials that are always encrypted on the network), the rest of your data is transmitted unencrypted over the open internet. As such you are potentially vulnerable to others “sniffing” your traffic.

Using MongoDB with SSL connections

Available for Dedicated plans running MongoDB 2.6+ only

To further secure communications to your database, MongoLab offers SSL-encrypted MongoDB connections on Dedicated plans running MongoDB 2.6 or later. Even when using SSL, we still recommend placing your application infrastructure and your database in the same datacenter/region to minimize latency and add another layer of security.

Gert Hengeveld
  • 2,478
  • 1
  • 18
  • 13
  • hi,, this still doesn't answer me my question. Is connection between heroku and mongolab secure? It keeps saying when you connect to database over cloud hosting provider who is in same region then you are somewhat secure. But again i'm with heroku does that count as "somewhat secure" – Muhammad Umer Apr 20 '15 at 16:07
3

I did the same thing as you and sent email to ask mongolab for detail. I got the answer, sharing it with you and hope it can help you. The below is the reply.

As long as your Heroku app and MongoLab database are in the same cloud region, we consider it safe to communicate between Heroku and MongoLab, as AWS' infrastructure prevents packet-sniffing within regions. If you use the MongoLab addon on Heroku this is automatic, but if you use a deployment provisioned directly at mongolab.com you'll need to manually select the matching region.

It looks like the connection between heroku and mongolab is in the same region. Both are secured by AWS so I guesss you don't need SSL. If you need it to be very safe, you still need SSL for extra security.

Hope it can help

ys588281
  • 116
  • 1
  • 6
  • 1
    so neither mongolab or amazon guarantees it's gonna be over ssl. But, oh "it might as well be on ssl" so don't worry. – Muhammad Umer Nov 04 '15 at 15:19