I am developing an API for a web application. Desktop clients will interact with the API using simple HTTP posts (REST). I will be using SSL, there is no question about that. My question is this: should I also be encrypting the data before it is sent over SSL? The information being sent may contain confidential information. Is SSL enough or should I be doing more? My only concern with adding additional layers of security is that it will make it substantially more difficult for people to interact with the API. Any thoughts on this would be much appreciated.
+2
A:
If you trust your certification authority, your clients do, and your key is sufficiently secure (RSA 2048 will not be breakable for a while), there are no problems at all with SSL. You don't need to encrypt your data before SSLing, as SSL itself provides encryption.
If this API is to be used over the internet, the list of certification authorities here will be useful to you in choosing one.
You can also have your clients authenticate over SSL, with SSL client certificates.
fahadsadah
2010-01-24 16:37:29
+3
A:
No, SSL provides strong encryption as it is. Just make sure you force clients to use HTTPS, and if you're really paranoid, check if the cypher is strong enough.
The only reason you'd want to encrypt a second time is if your web application passes the data straight on to some other system. In that case, you could keep the web application ignorant of the actual data and provide end-to-end encryption between the client and the final destination.
Shtééf
2010-01-24 16:37:49
Thanks - I'm forcing SSL already. I like your thought on keeping the server ignorant of the data and letting the client hold onto the encryption keys, but unfortunately the server needs access to the data.
Jon Tackabury
2010-01-24 16:41:24
+1
A:
IMHO, I would not add another layer of encryption on top of the already existing encryption. It will add overhead and as you say, complexity to the API. SSL exists to send secure data between two nodes, so why reinvent the wheel?
Tony
2010-01-24 16:38:25
Good point, I like keeping things simple but just using SSL seemed to easy. It felt like I was missing something. :)
Jon Tackabury
2010-01-24 16:42:18
A:
As Shtééf already pointed out, if you need end-to-end encryption instead of point-to-point then you need encryption. Other cases this might be relevant in is if your client application communicate with the server through integration services and service busses. In this case the SSL encryption is not enforced while the message is in an intermediary node and that node may do whatever it wants with the unencrypted confidential data.
Furthermore, if your clients use these integration services then they might not enforce SSL connections between the client and the integration service.
While working with highly confidential information I tend to go for end-to-end security instead of SSL encrypted communications channels for this reason.
Aleksi
2010-01-24 16:56:36