0

I have frontend application that can be accessed from the outside and it uses HTTPS. I have backend application that is running on the same computer/server as frontend and it uses HTTP. I can't switch my backend to HTTPS, what are the security problems for my setup?

Improve this question

1 Answer 1

Reset to default
2

Realistically there's probably not much of a security issue there. Running the site using HTTPS doesn't in of itself make any difference to the security of the website, it provides security in relation to the connection from the user to the intended server.

The TLS/SSL part of HTTPS (or any other protocol that uses it) essentially provides two things. 1) A secure tunnel between the client and the server, so that any communication between the two can't be intercepted on route, for instance when using public wifi. 2) Confirmation when you connect to www.foo.com that it really is www.foo.com, and someone hasn't managed to redirect your request to a malicious server.

Taken in that context, when you're talking about your local internal network, especially if you're using a wired network, then the risk becomes whether someone with access to your network could set something up to snoop on your network traffic to the web server, or poison the local DNS to send the server to someone else. Neither of which are impossible, but, if someone HAS somehow compromised your network (either physically, or via a compromised device) such that they could do either of those things, then you have much larger issues to worry about than traffic to a web server being compromised.

However, while there's not much of a security issue, depending on how that backend application is accessed, and who it's accessed by, it could be a useability issue. Most browswers will complain at you if you try to connect to a website that isn't HTTPS secured, and some simply won't let you connect or make it hard to work around. Fine if it's just some kind of admin UI, but more of an issue if it's widely used by non-technical staff.

Improve this answer
3
  • A possible nitpick with your answer. A man-in-the-middle scenario will break the tls/ssl security of an https:// connection. If you don't already have host keys saved on the client and then connect to the server on a public wifi, the keys can be spoofed and your credentials stolen.
    – doneal24
    Aug 14 at 20:07
  • While this answer captured some good points, it also missed many other important security features HTTPS offers (client certificates for example). That's why security related questions are better redirected to dedicated sites like security.stackexchange.com.
    – Lex Li
    Aug 14 at 21:26
  • @doneal24: TLS/SSL -- and HTTPS -- doesn't work like that at all. SSH does, but that is completely different and not of any relevance here.
    – dave_thompson_085
    Aug 15 at 1:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .