Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I was in discussion with a vendor to implement a backup solution and as flexible

ID: 654721 • Letter: I

Question

I was in discussion with a vendor to implement a backup solution and as flexible as most cloud applications nowadays, it needs to be access from anywhere on Internet without VPN or any special tunneling.

From high level perceptive, the solution has a web-ish application that client talks to and it needs to talk to a MS sql for some database/datastore operation. I am a little concerned to expose the application to Internet even just port 443/HTTPS as assured by the vendor rep. As traditional design, I could put the application into DMZ and leave SQL inside. I am still not 100% comfortable but I do not have a scenario in my mind to prove my concern.

I need your help convince me that it is not safe to expose web application to Internet even just port 443.

Explanation / Answer

Port 443 is the default port for HTTPS communication using SSL/TLS. As such, if you can reject and/or redirect traffic on port 80 (the default unsecured HTTP port) and reject all other ports, and if you can trust your web server OS's TCP/IP and TLS implementations, this scheme is as safe as any publicly-accessible computer communications endpoint can be made, from a hardware/firmware perspective.

However, this only proves that the means of communication is secure, and that this comm channel is the only way to get in. That can still mean the application communicating over this channel has vulnerabilities. Someone could hijack the remote system and use the secure channel to request information the person normally wouldn't be able to get. The remote system itself could store information it retrieves from you in an insecure manner. The component of this solution residing on your webservice could be vulnerable to any number of attack vectors that don't require breaking TLS itself; a third party could, for instance, perform a replay attack to corrupt data by making your server do things twice. Or, they could properly negotiate a TLS connection with your server and then pound on the relatively weak authentication system provided by the application.

In short, just because you can expose only port 443 to the world and accept only properly-negotiated TLS connections through it does not necessarily mean your system is secure. You must also trust that the application using the TLS channel is properly implemented to prevent various attacks carried out by systems using the channel. If you cannot trust this application, you should not use it.

Related Questions

I was given a worksheet of 25 and have completed all but 3. I cannot seem to get
Question #1980144
I was given an assignment by my professor to type a program that will count the
Question #665657
I was given an incomplete grade in design of concrete class because Ididn\'t sub
Question #106607
I was given an incomplete grade in design of concrete class because Ididn\'t sub
Question #3841055
I was given moisture contents of 5%, 9%, 14%, 22% and 25% with corresponding wei
Question #1826932
I was given spec sheets for two chips: 74LS00 and the74HCT00 I\'m asked: \"What
Question #1829452
I was given spec sheets for twochips: 74LS00 and the 74HCT00 I\'m asked: \"Are t
Question #1829453
I was given the following problem. Please help. The time between arrivals at a d
Question #1195361
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I was in a retail store today, and these people were discussing how easy it is f
Next
I was in the middle of implementing a CSRF protection mechanism for my server wh

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.