Hello
If I were to host a web service on the same machine as my web site, and pass sensitive information to it, do I need to call it using https?
For example, I would reference it using localhost, so won't this information be secure as it's not being transmitted across an insecure channel?
EDIT: I should mention that this web service would not be accessible from the outside world.
Thanks
Probably not if you computer is secure.. if thats not the case then nothing is secure
Yes, if you service is accessed using as http://localhost, then no information will be transmitted across the network, so https is unnecessary.
I don't think there are any realistic scenarios where using https for local communication could protect you against an otherwise successful attack.
An attacker could change your hosts file so that localhost now points to a remote host which would not have the correct certificate - but if he has filesystem access then he can probably also get your certificate.
I think the answer that you got from the group is pretty clearly "no, SSL is not necessary".
Perhaps we can be of further assistance if we understand what you're trying to do. Is there a particular reason you've decided to incur the cost of socket based communications, even if it is just a loopback to your own machine?
Some technologies (Windows Communications Foundation, as an example) will allow you to take that same service you built and access it via named pipes instead of making the HTTP call. If technologies like this are not in play, is there any reason you wouldn't consider alternatives such as an in-process call? Essentially, help us understand why you are doing this so that we can be of further assistance.