Payload Encryption and HTTPS / TLS

Written in


I’m often asked, “Why do I have to encrypt the message (or payload) again, when the connection is already over HTTPS?

Architects and engineers often think that transport security (e.g., HTTPS, SFTP, TLS) is the panacea to all cyber security concerns. It isn’t. Here are some of the common questions I get asked…a lot:

“Why do I have to do input validation? The site is already over HTTPS?”

Why do I have to encrypt the files when I’m transmitting them over an SFTP connection?”

“It’s over HTTPS. It’s a secure site, right?”

All of the above statements are false. Transport encryption (e.g., HTTPS, TLS/SSL, SFTP) is just that, security or encryption of information in transit. Period. Take HTTPS for example, HTTPS connection encrypts the tunnel or communication channel that is created to transmit data. Think of it like a pipeline through which water flows. The data itself is not encrypted but when it’s on the communication channel, owing to the tunnel which is already secured, the data that flows over it is also protected. Well, in actual implementation we’re talking about individual network packets and frames but that level of detail is not required here to drive home the point.

Here’s a simpler explanation for when payload encryption is recommended in addition to transport encryption. (Of course, the assumption here is that you’re transmitting sensitive content). Transport encryption can only be enforced between two points, say point A and B. Data remains protected, while ‘on the wire’ between points A and B. Once the connection terminates on the destination, in this case point B, the data continues to remain in clear text on point B. If there is another intermediate party between point A and B (e.g., proxy, API gateway, load balancer, file share, etc.,) then data will remain in cleartext (at rest) on this intermediate party. In other words, if data has to be transmitted from point A to point C and it has to pass through an intermediate party, say point B, then transport security can only protect the data while it is in transit between A to B and then again between B to C. But when data is on B (even if for a temporary period of time), data remains in clear text and will be accessible to the administrators or any other authorized (or even unauthorized) users of point B.

I’m sure you get the point. Transport encryption only protects the data while in transit. Period.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: