Does HTTPS/SSL make sense on a local network?

security lan ssl webserver https
7,174

Depends on your threat model. If you think there might be bad guys on your network, then you absolutely need to encrypt traffic.

When two machines are on the same subnet (i.e. there's no router between them), ARP Poisoning becomes a feasible attack. That entails an attacker telling one machine "hey, I'm the server you were talking to, and my MAC address is now attacker's MAC" and telling the other "hey, I'm the client you were talking to, and my MAC address is now attacker's MAC." Once that's done, the attacker can listen in on all the traffic (or change it!) before forwarding it to the real recipient.

Removing warnings about self-signed certificates is a bad idea when there could be attackers because doing that demolishes the entire point of having certificates in the first place, specifically, that not anybody can just make up a certificate and then have other computers believe that they're the right server. If I could just create a certificate saying that I'm Google and you believed me, I could intercept your traffic to Google and fiddle with it, and you wouldn't know because you thought my certificate was legit. TLS (and all public-key infrastructure, really) requires having trustworthy certification authorities.

If you're certain that no attackers will ever be able to connect to the network (e.g. two servers are directly connected and physically secured), then you can send whatever you want in the clear. Otherwise, security is a good plan.

Share:
7,174

Related videos on Youtube

Benni
Author by

Benni

Updated on September 18, 2022

Comments

  • Benni
    Benni over 1 year

    I wonder if I should enable HTTPS/SSL on web servers in my LAN.

    Which opportunities does a sniffer/man-in-the-middle have in a local area network, where devices are usually connected by switches?

    Is it negligent to send passwords in plain text over local area networks?

    I also want to get rid of warnings self-signed certificates.

    • user1686
      user1686 about 8 years
      obligatory link to "SSL added and removed here"
    • Ben N
      Ben N about 8 years
      Note to close voters: this question is not primarily opinion-based because it asks about what things can happen on an unsecured network. Answers will be based on expertise and facts (cf. mine).
    • Romeo Ninov
      Romeo Ninov about 8 years
      Probably this question will be better to ask in security SE

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Why do I get browser warnings on my new lets encrypt ssl setup?
Does renewing SSL certificate require re-issuing the cert?
SSL session persistence and secure cookies
How to compare SSL certificates using AFNetworking
Is there an HTTPS Everywhere add on for Chrome, MSIE or safari?
How much information can my ISP see?
Why do some websites show the company name next to the URL?
Restart webserver without entering a password?
Wildcard SSL behaves inconsistently across browsers / OS's / computers
Is there a security reason not to use a wildcard cert other than manageability and exploitation if used on multiple servers?