Mobile app version of vmapp.org
Login or Join
Sent6035632

: What are the benefits of requiring HTTPS between AWS CloudFront and the origin server? I am hosting a website on Amazon CloudFront and we've recently updated the distribution to require HTTPS

@Sent6035632

Posted in: #AmazonAws #AmazonCloudfront #Https #Security #SecurityCertificate

I am hosting a website on Amazon CloudFront and we've recently updated the distribution to require HTTPS between CloudFront and viewers. With the introduction of AWS Certificate Manager and the viability of SNI, this move is simple and cheap. The benefits of moving this to HTTPS are numerous.

I'm now wondering about the benefit of requiring HTTPS between CloudFront and my origin server (which is a custom origin). I know that would mean that CF would request all origin objects over HTTPS, but I'm struggling to find what benefit (security or otherwise) this provides. Is there a practical attack vector that could be exploited because requests to the origin are not made over HTTPS?

There is more administrative overhead to setting up and maintaining HTTPS on the origin server, so I want to know, do the benefits make that overhead worthwhile?

Ref: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Sent6035632

2 Comments

Sorted by latest first Latest Oldest Best

 

@Nickens628

It depends on your site.

If you run a special site involving high security and you want only select individuals located in several different countries with certain browsers to access your site and a login (or something unique to the user) is required to access the majority of the content on the site, then I'd say go for HTTPS.

If you have a generic site that presents information that you don't mind the whole world seeing, then HTTP for the html pages should be OK. Even though a hacker can download content via HTTP easier than with HTTPS, I still go with HTTP because it is a faster protocol and in order for pages to be indexed (especially by google), your site needs to run fast.

As for the man-in-the-middle attack that someone stated in their answer, It wouldn't matter much for a website that is meant for worldwide audience. I'd stick with HTTP and let the CDN download the site. There may be delays here and there while the hackers do their random seconds of glory. By that, I mean where they take a split second and suck up over 10 MB bandwidth in the split second. I know this from checking my server bandwidth graphs.

Now if you're doing a high-security site, HTTPS may help, but more importantly, you must make sure the scripts that process the site are 100% secure and bug-free.

10% popularity Vote Up Vote Down


 

@Angela700

If an attacker is able to put themselves between your origin server and CloudFront edge location - it won't be so difficult for the attacker to capture your HTTP traffic and extract your information. Theoretically, it can be done on the side of your ISP.
It is called as a "Man-in-the-middle" attack: en.wikipedia.org/wiki/Man-in-the-middle_attack
If you trust your ISP or hosting provider for 100%, you don't need HTTPS.
Also, there is no need to encrypt public content.
Anyway, the ultimate best practice is to use HTTPS always.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme