Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require HTTPS or localhost connection #4

Open
drewwills opened this issue Jun 19, 2016 · 4 comments
Open

Require HTTPS or localhost connection #4

drewwills opened this issue Jun 19, 2016 · 4 comments

Comments

@drewwills
Copy link
Owner

No description provided.

@andrewstuart
Copy link
Contributor

Would we be considering using TLS client certificates as well as validating that services are using HTTPS?

I think this will be important to think about, as I think it's probably much more important that the Soffit providers can validate the source of a request is trusted (part of why I advocate for JWT in #5) than the portal being to authenticate that the service providers it's talking to are trusted. We already have that trust (to a limited extent) by the fact that administrators are required to initially configure the Soffit endpoints.

Either way, we should be aware that adding an HTTPS requirement (or default) will add significant cost or complexity (must purchase certificates or run your own CA and add its cert to Java CA keystores, OS CA stores, etc.) to the implementation.

In testing out HTTPS with my own golang provider, I already ran into a significant amount of complexity making sure the portal was able to trust the certificates being presented by the endpoints.

@drewwills
Copy link
Owner Author

I'm not sure how much this issue is pertinent any longer, since all data model elements are encrypted & signed. You have to know the encryption password to see any data.

@andrewstuart
Copy link
Contributor

I'd still expect this would be highly desireable, since there's still a decent amount of information sent in plaintext that TLS would hide. The URL will be fully visible, and more importantly, the whole response (which may very well contain some of the previously-encrpyted info) will be returned in plaintext.

Additionally, the encryption TLS provides (DH key exchange per-session versus long-lived password-based encrpytion) will be much stronger and nearly impossible to guess the encryption key. With password encryption, the password is much more likely to be leaked in practice than the RSA secret key + key password.

@andrewstuart
Copy link
Contributor

Additionally, do you have plans to make the JWT encryption optional? AFAIK that is not a standard yet (JWE rfc is still draft status) and so our current implementation is nonstandard and will make non-java integration more challenging (versus the many JWT libraries that can already validate standard JWT signatures).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drewwills @andrewstuart