Reputation: 4227
Is SSL necessary on localhost?
We have a web application which will use self signed certificates, and after installing it on the server, the browser will open at "https://localhost" (no, for argument's sake, I will state that we cannot use the actual machine name). This will generate a browser error, because "localhost" is not the certificate's domain.
An option, is to expose the application on HTTP only on the loopback (localhost).
Our application should be encrypted whenever it is passing outside of the server, so - the question..
Are there any security concerns around allowing HTTP access to our application on localhost (and only on localhost)? Does this expose the application to snooping from outside of the computer?
One can assume that if someone was able to access the machine's local user sessions, then we have bigger worries, and the lack of HTTP would hence be insignificant.
Upvotes: 10
Views: 4767
Answers (1)
Reputation: 5907
There could be other process sniffing the loopback interface. It could be a service running in you PC, sniffing and sending data outside to a remote server.
You can still use https with a domain name, like https://www.myowndomain.com and in the hosts file you map this domain to 127.0.0.1
Upvotes: 10
Related Questions
- How do you use HTTPS and SSL on 'localhost'?
- Why should I disable https while creating new ASP.NET project?
- Enabling SSL on localhost IIS
- use https on asp.net application running on localhost
- How to stop HTTPS errors on localhost IIS
- Isn't HTTPS supposed to encrypt network traffic?
- do i need ssl on my web application?
- Do I need to install SSL on my server?
- Set up https on the localhost
- Is it mandatory to use SSL?