5

I have a web service which can be accessed only from websites hosted on the same server (i use 127.0.0.1 ip).

Should i use SSL for the communications between the sites and the service, or would that just create unnecessary overhead without increasing security?

Please note that all communications between the websites and web service happen inside the server. They are all hosted on the same iis7.5 server.

Emil
  • 253
  • 2
  • 9
  • You can run SSL so any hostile process will not intercept the password. Also you can encrypt data storage and passwords. – Andrew Smith Jul 26 '12 at 10:20
  • @AndrewSmith How could any "hostile" process intercept the connexion? – curiousguy Jul 26 '12 at 11:13
  • You can remotely execute code which will bind to the same port, e.g. 3306 of MySQL when it e.g. restarts, and intercept the passwords which are from different hosts, therefore you can perform isolation compromise. Clients should know where they are connecting to, and with the self-signed certs you have problem with authentication of connection solved, additionally for this you need only a login and password, and this is it. Eventually some data can be crypted with the symmetric key like AES128/256. – Andrew Smith Jul 26 '12 at 12:51

4 Answers4

6

No, there is no need to ever encrypt loopback traffic with SSL. Loopback traffic never leaves the machine, since the interface is virtual. The traffic never even reaches a real NIC's device driver.

In order to capture the loopback traffic, an attacker would need to execute a capture program on your machine. Once an attacker has code execution on your machine, you are owned. Game over.

Encrypting the traffic is pointless when they can just read the source data, or read the plaintext buffers from memory.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
1

If there is no access to the machine from any other machine i do not see the reason for ssl.

Otherwise:

If part of your network is wireless - use ssl. If you are not the only person in the network - use ssl.

If you are able to access the network from outside world via VPN or port forwarding - use ssl.

Its an extra security measure when hidden behind NAT but you will not notice performance drop unless you would want to stream 1080p over this protocol.

mnmnc
  • 370
  • 2
  • 8
  • The server hosts websites which are accessed from the www, but the service i am trying to secure can only be accessed from the websites hosted on the same server (unless there is a way to access a domain mapped to 127.0.0.1 from outside) – Emil Jul 26 '12 at 08:11
  • I would say it only depends on how stubborn the attacker will be or how soon you will have a security hole on the server or an existing one will be published (0day). I would say you are 90% safe - if this satisfies you, leave it be. I'm paranoid so i would use ssl. It's better to be oversecure than otherwise. – mnmnc Jul 26 '12 at 08:19
1

No. I don't think you need to bother with SSL. There is no need for it.

But if you allow any untrusted users or code on your machine, do put your service on a low-numbered port (below 1024), so that other processes cannot bind to that address and steal the traffic intented for your service. Alternatively, make sure that your service gets started at boot and binds immediately to that port (to prevent others from binding to it), arrange for it to be restarted if it should die/crash, and log a critical error if it ever detects that it cannot bind to that port because some other process has already done so.

D.W.
  • 98,420
  • 30
  • 267
  • 572
0

If you can use SSL for your application, then you might as well do so. Even if you have no pressing need to use it right now, it does help to make the option available and easy to activate for when you eventually migrate to a remote-server architecture and actually do need the security.

tylerl
  • 82,225
  • 25
  • 148
  • 226