It would be awesome (if this isn’t already the case) if Meteor used it’s own encryption for all data passing between the server and client, so that an app is completely secure even if on HTTP (not HTTPS). This would boost Meteor’s already awesome reputation. Security is a huge thing, and even if people are building great apps with Meteor, if Meteor’s not secure and a beginner programmer (Meteor aims to help beginners start making apps afterall) made something awesome with Meteor only to have a business based on Meteor fail because some hacker hijacked a bunch of financial information then Meteor will have failed.
Do you know if Meteor is secure on HTTP?
For advanced users, it would then also be nice to have a config option to turn on Meteor’s encryption when/if using HTTPS, for performance (if desired).
No. You should always run your app on HTTPS if you care about security.
I am 100% sure this would be a huge mistake. Custom re-implementations of popular security systems are almost always doomed to fail.
However, it would be awesome if it were easier to set up SSL for your app, and that’s something we’re working on. It’s already trivial to set up SSL if you’re using Galaxy, and we want to make it easy even on a custom hosting setup.
On a semi-related note, in some cases you may not need a secure (https) endpoint for your MongoDB. Compose.io told me that if my Meteor app is on Amazon EC2, communications between my app and their databases (also on EC2) could be considered secure since it would be sending data back and forth over Amazon’s private/internal IPs.
I’m just going by what the folks at Compose told me.
You can leverage internal network traffic if you app instance and database are in the same region and essentially, SSL would not be required as it would take a monumental effort to crack the AWS network security: https://docs.compose.io/common-questions/internal-aws-traffic.html
This does assume that your app servers are the only clients connecting to your database and your driver is not creating ad hoc connections from multiple clients like web browsers and mobile apps etc.
It would be awesome (if this isn’t already the case) if Meteor used it’s own encryption for all data passing between the server and client, so that an app is completely secure even if on HTTP (not HTTPS).
On a semi-related note, in some cases you may not need a secure (https) endpoint for your MongoDB. Compose.io told me that if my Meteor app is on Amazon EC2, communications between my app and their databases (also on EC2) could be considered secure since it would be sending data back and forth over Amazon’s private/internal IPs.
This is indeed the case. However, good practice is never to transmit unencrypted sensitive data from A to B.
I totally understand, but it just seems that the level of entry to set that up is a lot higher than the audience Meteor wishes to reach.
I myself made an encrypted site before (without HTTPS) but using the same crypto algorithms.
I know it’s easy to just use HTTPS (if you can) but, some people (new programmers for example) might not even think about it. It’d be great to cover these people from the get go.
One broken piece of code in your code base is enough to put your entire application at risk. I would never implement my own cryptography in any production environment.
HTTPS is hard to get right in the first place. Implementing your own encryption… is probably orders of magnitude harder.
Setting up SSL certs with MUP is pretty easy, arunoda is also adding support for lets-encrypt. MDG should send a christmas present to arunoda for all he’s done for the community.