Do I need to make my web service secure?


Do I need to make my web service secure?



If I were to host a web service on the same machine as my web site, and pass sensitive information to it, do I need to call it using https?

For example, I would reference it using localhost, so won't this information be secure as it's not being transmitted across an insecure channel?

EDIT: I should mention that this web service would not be accessible from the outside world.

Thanks




Secure authentication in PHP

1:



SVN Hook “Could not MERGE resource” and Access Denied Error
Yes, if you service is accessed using as http://localhost, then no information will be transmitted across the network, so https is unnecessary..
php frameworks and security


Storing PayPal credentials in a web application(asp.net) on a shared host


Using the current HTTP request identity as the default credentials for SharpSVN

2:



Security with Java Scripting (JRuby, Jython, Groovy, BeanShell, etc)
I don't think there are any realistic scenarios where using https for local communication could protect you against an otherwise successful attack.


Is it never possible to get the FullName from a file using Silverlight OpenFileDialog?
.
How to create roles and superuser in an ASP.NET MVC application in a secure way
An attacker could change your hosts file so that localhost now points to a remote host which would not have the correct certificate - but if he has filesystem access then he can probably also get your certificate..


3:


Probably not if you computer is secure..

if thats not the case then nothing is secure.


4:


I think the answer that you got from the group is pretty clearly "no, SSL is not necessary".. Perhaps we can be of further assistance if we understand what you're trying to do.

Is there a particular reason you've decided to incur the cost of socket based communications, even if it is just a loopback to your own machine?. Some technologies (Windows Communications Foundation, as an example) will allow you to take that same service you built and access it via named pipes instead of making the HTTP call.

If technologies like this are not in play, is there any reason you wouldn't consider alternatives such as an in-process call? Essentially, help us understand why you are doing this so that we can be of further assistance..



77 out of 100 based on 67 user ratings 617 reviews

@