2

I would like to know how to securely setup HTTPS between two applications running on the same workstation in a production environment please:

  • A local server application (C#)
  • A web frontend which accesses the local server through a browser (packaged as an app using Electron and talking to the local server over HTTPS)

The user enters a username and password into the web frontend that forwards the details over HTTPS to the local server. In this instance, the server is acting as a proxy for an online API that provides the actual authentication.

The apps will both be run by users who are not a local admin on the workstation. Note that the local admin is trusted.

My current plan is to:

  • Generate a self-signed certificate and key store for HTTPS.
  • During installation of the app, which will be run as an admin, install the self-signed certificate in the OS trusted certs store.
  • Bundle the keystore in the local server application, which will serve HTTPS content using it. I wasn't planning to password protect the keystore as that seems security by obscurity since the application will need to contain the password to use it.

I specifically want to protect the usernames & passwords entered when users log in, as well as preventing any snooping of traffic during a session by other users.

Regarding username & password: I do have the option of authenticating directly with the online API from the frontend app and only passing an auth token to the local service. I'm not sure whether that is necessary.

The admin user is trusted so I believe a MITM attack using a tool like Fiddler would not be possible since you'd need to have admin rights to install the root cert it requires. However, given the unencrypted keystore would be available to all workstation users, would that allow them to snoop on the connection?

Also, one potential weakness is that all users will have physical access to the system, so I guess could elevate their privileges somehow (e.g. as mentioned in https://security.stackexchange.com/a/82673/249586). I'm not sure how I would mitigate against that if that is possible.

Is this design secure enough to use to send username and password to the proxy? Are they any improvements/changes I should make to the design to make it secure? (I'm not able to use sockets as suggested by other SO answers).

Thank you!

bemo
  • 25
  • 4

1 Answers1

5

There is no point in using HTTPS here.

Since the server and client are both on the same system, communications will occur over the loopback interface, which means the traffic will never leave the machine. To intercept the traffic on the machine itself, the attacker would need administrator privileges. If someone has admin privileges, its already game over.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • Thanks for your answer @nobody. If I just used plain HTTP I was worried User1 could leave a network sniffer running in the background and pick up unencrypted traffic when User2 logs into the app on the same workstation. Is that impossible if the OS user accounts are distinct? (We haven't decided yet if there'll be a single shared OS user account for non-admins) – bemo Feb 11 '21 at 17:43
  • 2
    @bemo Network sniffers require administrative privileges to run. So if the user can run a sniffer, that already means its game over. – nobody Feb 11 '21 at 17:45