Reputation: 701
Is Extra Encryption Necessary when Using HTTPS?
My friends and I are creating an iPhone app that uses a node.js backend. We've been having a debate regarding whether we should use some encryption library to encrypt all or part of the post-payload that we send to the node.js server. (We were going to use some version RNCryptor, or something like that.) My question is, do we really need this extra level of encryption if we are already using HTTPS?
I understand the benefit of encrypting data on the server itself. But do we need this extra encryption for the data in transit?
Sorry if this question is too broad...
Upvotes: 2
Views: 802
Answers (2)
Reputation: 3896
That really depends on what you're trying to protect your data from.
HTTPS is secure enough for most uses, however it is completely insecure if there is an untrusted (or unexpected/unwanted) Root Certificate installed in the browser and you're on a network where an attacker has control of the traffic.
Some companies have their own root certificates installed so they can MITM all the browser traffic including HTTPS.
Additionally, there have been actual CAs that issued certificates that would have allowed attackers to pretend to be almost anybody. For the right price, anybody could have been [insert your bank here].
If you're trying to protect against your local ISP, you're probably OK. If you're using a company-issued computer or browser, or have reason to think your certificate store might have been tampered with, you would need additional encryption to keep your data private.
Upvotes: 2
Reputation: 94058
No, you're better off making sure that your TLS configuration is secure. In this case using TLS 1.2 with ECDHE, AES or Chacha20 / Poly1305 and other modern primitives is highly recommended (preparing you for TLS 1.3 as well).
Of course you can add security for data at rest, but that's probably not your main objective. And yes, if you do want to do this then you might as well use a well established container format, and you could certainly do worse than RNCryptor in that case, even if it hasn't been standardized. You'd still have to integrate it into your security protocol in a meaningful way, of course.
For these kind of systems it is very important to create a threat model for your system. If your thread model requires it (e.g. in the example that Terry gave, there companies use a MitM attack) then you should start looking. In that case you should also decide to do the encryption client side (where only the client can decrypt) or server side.
The earlier may be preferred security wise, but you must then somehow store a client side private key, which is often not possible to do securely. In that case the data is hidden to the server as well of course (but since you control the application, the client is still not fully secure against leaking the plaintext to you or somebody that controls the server).
Upvotes: 3
Related Questions
- Is password encryption required in frontend(client browser) for HTTPS protocol?
- require('https') vs require('tls')
- On the use of https in Node.js
- Is it necessary to encrypt browser data over HTTPS?
- Node.js Server Request to HTTPS Enough for Encryption?
- How to create Node.js secure server with `https.js`?
- Does NodeJS https perform symmetric encryption of the traffic
- Decrypt incoming HTTPS traffic in Node https server
- express.js https server noob
- node.js SSL encryption without authentication