0

I have a server that is accessed only via local network in my VPS, as it is local it does not have a domain, it is accessed only via IP (ex.: http://localhost/routine.php). This server will only be accessed via curl through my other servers.

Even though it's local, do I need to create an SSL certificate to enable HTTPs on it?

The hosting company guarantees that the LAN IP can only be accessed by my VPS as my account has a range of dedicated local IPs.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Tom
  • 163
  • 4
  • 2
    See https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network for some interesting reading on why SSL certificates for sites accessed by LAN IP addresses are problematic. – mti2935 Jun 12 '21 at 01:54
  • 1
    Are you asking if you need to use TLS on a local network, or are you asking if you need a certificate if you want TLS? Your question could be interpreted either way. – schroeder Jun 12 '21 at 07:24

1 Answers1

2

Do you have to? isn't a question we can answer, because we don't know what kind of requirements you may be bound to. For example, if your private network is carrying PCI data, and your auditor says "you must encrypt all HTTP network traffic", then you need to do what your auditor says. If your organization's security policy says "you must encrypt all HTTP network traffic" then you need to follow what your security policy requires.

If it's not a hard requirement, consider building a threat model to help you make the decision. A threat model will help you understand your risks and help you prioritize fixing them: what is the risk of an attacker getting into this part of my network? Which of my systems are most vulnerable to attacks? What kind of value is at risk of theft or damage if an attacker gets in here?

Threat modeling is a three step process: sketch out your system and identify threat boundaries; identify and prioritize vulnerabilities in your system; and decide on a risk treatment for each.

By working through the threat model process, you find the most important risks first. Then you can decide if you can accept the risk (perhaps the system is of low value, or perhaps it's unrealistic that an attacker would strike in a particular way when there are easier things to attack), or if you need to mitigate the risk. Perhaps very little value is at risk, and encrypting will cost you a week of certificate management issues, so you decide it's not worth it. You might identify more important risks that you have to deal with long before you worry about TLS. Perhaps it's more important to isolate the vulnerable systems from the backend systems in a different way, such as a WAF. Perhaps you'll discover that if the attacker is in one particular system, he already has access to the traffic whether or not it's encrypted, so encryption won't actually solve your problem.

If you're not familiar with threat modeling, OWASP has an informative site here: https://owasp.org/www-community/Threat_Modeling You may want some training, or to engage an infosec person to help you through the process the first time. You can check with your local OWASP chapter and see if they offer classes; you can also probably find some examples on YouTube.

John Deters
  • 33,650
  • 3
  • 57
  • 110