Does HTTPS/SSL make sense on a local network?
Depends on your threat model. If you think there might be bad guys on your network, then you absolutely need to encrypt traffic.
When two machines are on the same subnet (i.e. there's no router between them), ARP Poisoning becomes a feasible attack. That entails an attacker telling one machine "hey, I'm the server you were talking to, and my MAC address is now attacker's MAC
" and telling the other "hey, I'm the client you were talking to, and my MAC address is now attacker's MAC
." Once that's done, the attacker can listen in on all the traffic (or change it!) before forwarding it to the real recipient.
Removing warnings about self-signed certificates is a bad idea when there could be attackers because doing that demolishes the entire point of having certificates in the first place, specifically, that not anybody can just make up a certificate and then have other computers believe that they're the right server. If I could just create a certificate saying that I'm Google and you believed me, I could intercept your traffic to Google and fiddle with it, and you wouldn't know because you thought my certificate was legit. TLS (and all public-key infrastructure, really) requires having trustworthy certification authorities.
If you're certain that no attackers will ever be able to connect to the network (e.g. two servers are directly connected and physically secured), then you can send whatever you want in the clear. Otherwise, security is a good plan.
Related videos on Youtube
Benni
Updated on September 18, 2022Comments
-
Benni over 1 year
I wonder if I should enable HTTPS/SSL on web servers in my LAN.
Which opportunities does a sniffer/man-in-the-middle have in a local area network, where devices are usually connected by switches?
Is it negligent to send passwords in plain text over local area networks?
I also want to get rid of warnings self-signed certificates.
-
user1686 about 8 yearsobligatory link to "SSL added and removed here"
-
Ben N about 8 yearsNote to close voters: this question is not primarily opinion-based because it asks about what things can happen on an unsecured network. Answers will be based on expertise and facts (cf. mine).
-
Romeo Ninov about 8 yearsProbably this question will be better to ask in security SE
-