Re: [jetty-users] Fast SSL with jetty.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Fast SSL with jetty.

From: Shawn Heisey <eclipse@xxxxxxxxxxxx>
Date: Sun, 14 Mar 2021 18:42:34 -0600
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1

On 3/14/2021 5:50 PM, Luke B wrote:

Setting up jetty to listen only on localhost without SSL and having annginx (or other web server) reverse proxy to provide SSL is possible butunlikely something that is acceptable as encryption is required all theway to the java process. In this case a tcp dump would reveal passwords.

Think about what would have to happen for somebody to get that packetcapture.

1) If the reverse proxy is on a different machine than Jetty, one way inis for the attacker to have physical access to the hardware. They couldpatch a rogue machine in with two network ports and capture everythinggoing over the machine's wire. A raspberry pi with a USB network donglecould probably be used for that -- relatively easy to hide.

2) If the attacker manages to acquire remote access and admin/rootprivileges, they could install tools on the machine (like tcpdump orwireshark) to capture those packets whether the two processes are on thesame machine (using localhost) or on separate machines.


If you have good physical security, the first attack is not going to happen.

If the second attack succeeds, you've got bigger problems than a lack ofencryption on the back end of your web services. They've got admin/rootaccess, and might be able to obtain those privileges on other machinesthrough software vulnerabilities. They would probably already haveaccess to everything they might glean from capturing unencryptedpackets. An example: Credentials in config files for services likemail, database, microservices, etc.

It is my strong opinion that encrypting the connection between afront-end reverse proxy or load balancer and back end web services is anillusion of safety that comes at the expense of CPU time needed for theextra encryption.


Anybody is welcome to disagree with me.

I worked at a company that was setting up services for a very highprofile customer. That customer wanted the back end encrypted like youdo. We did it, but I think it was unnecessary.


Thanks,
Shawn

Follow-Ups:
- Re: [jetty-users] Fast SSL with jetty.
  - From: Luke B

References:
- [jetty-users] Fast SSL with jetty.
  - From: Luke B

Prev by Date: [jetty-users] Fast SSL with jetty.
Next by Date: Re: [jetty-users] Fast SSL with jetty.
Previous by thread: [jetty-users] Fast SSL with jetty.
Next by thread: Re: [jetty-users] Fast SSL with jetty.
Index(es):
- Date
- Thread

Breadcrumbs