0

I have many Web applications developed as Node.js based servers horizontally scaled with a Load Balancer in front of them. At the beginning all my Web applications exposed HTTP endpoints and the Load Balancer provided SSL termination for them. Now i'm thinking about the value of providing HTTPS endpoints instead of HTTP ones at the application server level. I think it is a good practice and my question is: Is this desired, recommended or required for you folks from a security standpoint?

yeiniel
  • 101
  • 2
  • you have a lot of vampires in your datacenter? – dandavis May 19 '17 at 01:14
  • 3
    maybe i'm not aware of the terminology. what is a vampire in a datacenter @dandavis? – yeiniel May 19 '17 at 01:27
  • something biting into the network between your http server and load balancer. https uses more server resources, which can be scarce. unless you face an exposure in-transit, there's no benefit. – dandavis May 19 '17 at 03:53
  • thank you for the explanation @dandavis. On some deployments i do have users with access to the servers sub-network. – yeiniel May 19 '17 at 20:39
  • check this : https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer – elsadek Dec 27 '17 at 18:53

1 Answers1

-1

25% of attacks were perpetrated by internal attackers is what the Verizon Data Breach Investigations Report reports.

I cannot think of anytime that HTTPS should NOT be used.

schroeder
  • 123,438
  • 55
  • 284
  • 319
jwilleke
  • 221
  • 1
  • 6
  • 2
    consider that the threat model here is the connection between the load balancer and the endpoint ... if someone has access to that link, then encrypting it won't matter: they would have access to the unencrypted messages, too. – schroeder May 19 '17 at 10:42