: What are the benefits of requiring HTTPS between AWS CloudFront and the origin server? I am hosting a website on Amazon CloudFront and we've recently updated the distribution to require HTTPS
I am hosting a website on Amazon CloudFront and we've recently updated the distribution to require HTTPS between CloudFront and viewers. With the introduction of AWS Certificate Manager and the viability of SNI, this move is simple and cheap. The benefits of moving this to HTTPS are numerous.
I'm now wondering about the benefit of requiring HTTPS between CloudFront and my origin server (which is a custom origin). I know that would mean that CF would request all origin objects over HTTPS, but I'm struggling to find what benefit (security or otherwise) this provides. Is there a practical attack vector that could be exploited because requests to the origin are not made over HTTPS?
There is more administrative overhead to setting up and maintaining HTTPS on the origin server, so I want to know, do the benefits make that overhead worthwhile?
Ref: docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html
More posts by @Sent6035632
2 Comments
Sorted by latest first Latest Oldest Best
It depends on your site.
If you run a special site involving high security and you want only select individuals located in several different countries with certain browsers to access your site and a login (or something unique to the user) is required to access the majority of the content on the site, then I'd say go for HTTPS.
If you have a generic site that presents information that you don't mind the whole world seeing, then HTTP for the html pages should be OK. Even though a hacker can download content via HTTP easier than with HTTPS, I still go with HTTP because it is a faster protocol and in order for pages to be indexed (especially by google), your site needs to run fast.
As for the man-in-the-middle attack that someone stated in their answer, It wouldn't matter much for a website that is meant for worldwide audience. I'd stick with HTTP and let the CDN download the site. There may be delays here and there while the hackers do their random seconds of glory. By that, I mean where they take a split second and suck up over 10 MB bandwidth in the split second. I know this from checking my server bandwidth graphs.
Now if you're doing a high-security site, HTTPS may help, but more importantly, you must make sure the scripts that process the site are 100% secure and bug-free.
If an attacker is able to put themselves between your origin server and CloudFront edge location - it won't be so difficult for the attacker to capture your HTTP traffic and extract your information. Theoretically, it can be done on the side of your ISP.
It is called as a "Man-in-the-middle" attack: en.wikipedia.org/wiki/Man-in-the-middle_attack
If you trust your ISP or hosting provider for 100%, you don't need HTTPS.
Also, there is no need to encrypt public content.
Anyway, the ultimate best practice is to use HTTPS always.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.