4

Signing HTTP requests is all the rage nowadays. The benefits of doing so when communicating over an insecure channel are clear. With signatures you can bring message integrity and authentication to such an environment.

But I'm struggling what signatures bring to the table when the communication channel IS secure. Like TLS. Message integrity is guaranteed by TLS and authentication could be a much simpler shared secret (like an API key).

The only thing I can come up with is a niche scenarios in which sharing secrets is not desirable or exchanging the secret needs to happen on an insecure channel. Perhaps it is security in depth which merits it?

harm
  • 593
  • 1
  • 5
  • 7

1 Answers1

0

TLS only protects the communication between the TLS endpoints, i.e. some client certificate will only be checked by the TLS server. With signed request the authentication and integrity is bound to the request and not the communication channel which means that it will be kept and can still be verified by the final recipient even if TLS terminating proxies like load balancers or other reverse proxies are involved.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424