This a good topic to understand. The original content is from StackExchange. Sharing it here for everyone’s reference and understanding.
Question
Let’s set up the environment before coming to my question.
- We have a web application which will be accessible to the user over HTTPS.
- Mostly only accessible in the intranet ( rarely over the internet )
- Front-end was developed in Angular
- Backend was developed in Java-EE
Now I came to an argument with my colleagues over a concern of mine.
The communication between the frontend and backend is completely unencrypted, resulting in the credentials of a user logging in send over the intranet/internet completely clear text. Also they will enter sensitive data which is a secret of the company (ingredients, proportions, etc.).
Adding the fact we integraded LDAP Login possibility to our application this fact seems highly risky to me, possibly resulting in an entry point to gain more informations off the intranet (getting LDAP credentials and accessing more services and machines).
My colleagues said thats nothing to worry about since the communication between client and server is established over HTTPS.
However they couldn’t convince me with only providing that one single argument at all, especially since there are known problems like SSL Stripping, MITM, or even traffic analysis. I know that I should only worry about those if we don’t configure everything correctly, but thats also a concern of mine.
I am on the point that we should encrypt the communication betweeen client and server additionally with something like Jose4J. That would ensure that even in an intranet breach or HTTPS Problem the sensitive data would still be a secret. It would also be more hard to analyse the traffic.
Now I wanted to get an answer which provides more facts and a better conclusion than only “but we are using https”.
Is only using HTTPS for a web application dealing with sensitive data “secure” enough?
Answer
The communication between the Frontend and Backend is completely unencrypted, resulting in the credentials of a user logging in send over the intranet/internet completely clear text.
…the communication between client and server is established over HTTPS.
You are contraditcting yourself. If you are using HTTPS, your data isn’t unencrypted.
…especially since there are known problems like SSL Stripping, MITM, or even traffic analysis.
SSL stripping is solved by HSTS. Use it. A MITM is exactly what TLS protect against, so I fail to see how that is a “known problem”. Not sure what you mean by “traffic analysis”, but implementing your own application level crypto is not going to solve it.
I think you are undervaluing what HTTPS gives you.
Is only using HTTPS for an Web application dealing with sensitive data “secure” enough?
What your question basically boils down to is this: Is transport layer encryption enough, or do I need application layer encryption as well?
For a web app designed to run in the browser, the security value of application layer encryption is basically zero. Why? Because the very code that does the application layer crypto will have to first be transported to the client. If transport layer crypto is broken, that code can be tampered with to the attackers benefit.
And anyway: You do not trust yourself to configure your own TLS. Why should you trust yourself with the much more complex task of setting up safe application layer crypto? I promise, it will be much easier to just read up on TLS and do that right.
Your colleagues provided you with only one argument, because it’s the right argument. Use HTTPS
Reference: https://security.stackexchange.com/questions/178315/do-i-need-additional-encryption-on-top-of-https-for-a-rest-api
