0

What are the security implications of using HTTP only for IPC for services within the same host?

In my case, I am using docker-compose to host two ASP.NET Core services within the same host in Azure. One proxy service and one web API service. The only public communication is through the proxy and the API is not exposed.

In this case, is it worth the performance penalty of HTTPS for the communication between the proxy and the API service?

Mariksel Azemaj
  • 101
  • 2
  • 1
    Did you actually benchmark to determine whether HTTPS produces noticeable performance issues? – Beltway Nov 22 '21 at 09:07
  • 1
    The major risk here is that an attacker with access to the host would be able to sniff traffic. If those are the only two things running on the host, that would likely not be a major risk. TBH the perf. overhead of TLS may not be too bad but the extra complication of setting up valid TLS certs is quite possibly not worth it :) – Rory McCune Nov 22 '21 at 09:35
  • @Beltway If there is no need to use HTTPS then benchmarking is unnecessary. I am looking more for a general solution. – Mariksel Azemaj Nov 22 '21 at 09:59
  • @RoryMcCunne I was thinking of using mTLS, isn't that easier to manage? – Mariksel Azemaj Nov 22 '21 at 10:00

0 Answers0