Is it necessary to use HTTPS for server side requests?

Question

I'm allowing users to log in to my site using third party credentials (let's call it SocialFoo). Users submit their username and password for SocialFoo via a POST over HTTPS. After the POST is made, on the server side, I validate the credentials via an API call to SocialFoo.

Is there any security benefit to making the API call to SocialFoo via HTTPS rather than HTTP? Since this request is theoretically not exposed to user, is there a security risk beyond packet sniffers at the data center?

Answer 1

There's not really any risk aside from anyone sniffing the traffic between you and the remote host. SSL protects you from just that when used properly though. Encryption prevents your data from being understood when only observed and authentication lets you know it most likely has not been tampered with.

Your specific question about sniffers at data centers... If both hosts are located in data center under the same switch, you're probably fine. If they're not, then you need to ask about VLAN bridging between your two switches, assuming you're renting both switches for both hosts.

If your data center won't let you just up and bridge the two, then you will want to use SSL or any other well used scheme. If you want to see how easy it is to look at traffic under your switch (or even further sometimes), just run tcpdump (Linux) or Wireshark (Windows).

Just be safe, use SSL. There's not really problem with performance these days either, unless you're using 16384 bit keys, are running your own CA and doing real-time CRL checking, and need over 1,000 connections / second. Or, you're using old hardware... in which case, at least use 2048 bit keys.

Also depending on your business or the content of your transmissions, it may be required as a regulation in your country to secure the data or at least make a reasonable attempt at maintaining confidentiality or authentication of some kind.

An added note: You mentioned that since the request isn't exposed to the user, you might not need SSL. SSL protects the user's data. It doesn't do anything to prevent a user from reverse engineering your protocol, tampering with data before it's transmitted, or anything like that. I may be misunderstanding your point, but I figured I would throw this out there.

Answer 2

I would say that the answer to your specific question is no. SSL encryption is used to protect network traffic while it is transmitted on the network. If both servers are on the same local network and that network is located in a single data center, then the only reason for using ssl is to protect against threats on that network in that data center. Another question is if it is good security practice to not protect against threats on the local network.

Answer 3

Usually, at list while your session is active, some authentication token is transmitted to the server with every your request. To prevent this token from being captured and tampered with while crossing the network, ensure that you use SSL with all pages that require authenticated access.

Answer 4

YES

There is always a risk of having information stolen if it is not transmitted securely. As a general rule of thumb, any and all sensitive data going in or going out should be encrypted. It is not only a "security benefit" to use HTTPS, but should be a requirement.