Is Meteor secure without HTTPS?


#1

It would be awesome (if this isn’t already the case) if Meteor used it’s own encryption for all data passing between the server and client, so that an app is completely secure even if on HTTP (not HTTPS). This would boost Meteor’s already awesome reputation. Security is a huge thing, and even if people are building great apps with Meteor, if Meteor’s not secure and a beginner programmer (Meteor aims to help beginners start making apps afterall) made something awesome with Meteor only to have a business based on Meteor fail because some hacker hijacked a bunch of financial information then Meteor will have failed.

Do you know if Meteor is secure on HTTP?

For advanced users, it would then also be nice to have a config option to turn on Meteor’s encryption when/if using HTTPS, for performance (if desired).


#2

No. You should always run your app on HTTPS if you care about security.

I am 100% sure this would be a huge mistake. Custom re-implementations of popular security systems are almost always doomed to fail.

However, it would be awesome if it were easier to set up SSL for your app, and that’s something we’re working on. It’s already trivial to set up SSL if you’re using Galaxy, and we want to make it easy even on a custom hosting setup.


#3

Do you or anyone at MDG know or have any experience with meteor applications and Let’s Encrypt?


#4

Not yet but on a different thread arunoda said he might build it into the next version of mup!


#5

On a semi-related note, in some cases you may not need a secure (https) endpoint for your MongoDB. Compose.io told me that if my Meteor app is on Amazon EC2, communications between my app and their databases (also on EC2) could be considered secure since it would be sending data back and forth over Amazon’s private/internal IPs.


#6

Data between servers should still be encrypted. Trusting a private network is not enough. Anyone with network access can intercept that traffic.


#7

I’m just going by what the folks at Compose told me.

You can leverage internal network traffic if you app instance and database are in the same region and essentially, SSL would not be required as it would take a monumental effort to crack the AWS network security: https://docs.compose.io/common-questions/internal-aws-traffic.html

This does assume that your app servers are the only clients connecting to your database and your driver is not creating ad hoc connections from multiple clients like web browsers and mobile apps etc.


#8

I hear you, but that is not enough for me. Of course, we host on our own private servers. Our clients don’t allow cloud hosting.


#9

It would be awesome (if this isn’t already the case) if Meteor used it’s own encryption for all data passing between the server and client, so that an app is completely secure even if on HTTP (not HTTPS).

No. HTTPS is the encrypted solution for HTTP.

Security is not just about encryption.


#10

On a semi-related note, in some cases you may not need a secure (https) endpoint for your MongoDB. Compose.io told me that if my Meteor app is on Amazon EC2, communications between my app and their databases (also on EC2) could be considered secure since it would be sending data back and forth over Amazon’s private/internal IPs.

This is indeed the case. However, good practice is never to transmit unencrypted sensitive data from A to B.


#11

I totally understand, but it just seems that the level of entry to set that up is a lot higher than the audience Meteor wishes to reach.

I myself made an encrypted site before (without HTTPS) but using the same crypto algorithms.

I know it’s easy to just use HTTPS (if you can) but, some people (new programmers for example) might not even think about it. It’d be great to cover these people from the get go.


#12

http://joshowens.me/ssl-and-meteor-js/

I myself made an encrypted site before (without HTTPS) but using the same crypto algorithms.

And how exactly would I, as enduser be able to identify the trust worthiness of your ciphers?


#13

One broken piece of code in your code base is enough to put your entire application at risk. I would never implement my own cryptography in any production environment.

Let’s not forget the heart bleed bug.


#14

Also, if installing an SSL cert is too hard then writing your own security shouldn’t even be talked about.


#15

There’s a different way of looking at this - if you want, you can set up your own security; if you don’t want to, you can use:

  1. meteor deploy free hosting with built-in SSL if it’s a hobby project
  2. Galaxy Developer Edition if it’s a serious hobby project or fledgling business
  3. Galaxy Team Edition if it’s a serious business

All 3 of those require essentially zero setup to use HTTPs :]


#16

HTTPS is hard to get right in the first place. Implementing your own encryption… is probably orders of magnitude harder.

Setting up SSL certs with MUP is pretty easy, arunoda is also adding support for lets-encrypt. MDG should send a christmas present to arunoda for all he’s done for the community.