If I were to host a web service on the same machine as my web site, and pass sensitive information to it, do I need to call it using https?
For example, I would reference it using localhost, so won't this information be secure as it's not being transmitted across an insecure channel?
EDIT: I should mention that this web service would not be accessible from the outside world.
Secure authentication in PHP
SVN Hook “Could not MERGE resource” and Access Denied Error
php frameworks and security
Storing PayPal credentials in a web application(asp.net) on a shared host
Using the current HTTP request identity as the default credentials for SharpSVN
Security with Java Scripting (JRuby, Jython, Groovy, BeanShell, etc)
Is it never possible to get the FullName from a file using Silverlight OpenFileDialog?
How to create roles and superuser in an ASP.NET MVC application in a secure way
An attacker could change your hosts file so that localhost now points to a remote host which would not have the correct certificate - but if he has filesystem access then he can probably also get your certificate..
if thats not the case then nothing is secure.
Is there a particular reason you've decided to incur the cost of socket based communications, even if it is just a loopback to your own machine?. Some technologies (Windows Communications Foundation, as an example) will allow you to take that same service you built and access it via named pipes instead of making the HTTP call.
If technologies like this are not in play, is there any reason you wouldn't consider alternatives such as an in-process call? Essentially, help us understand why you are doing this so that we can be of further assistance..