2

I am making a websocket server that can communicate with clients.

This server is going to be on a private vLAN channel on a public place, AKA only the staff have access to the network which the server is on.

When this is the case, do i need to implement SSL or any other form of security, if the "hackers" cant get access without being connected to the vLAN?

Mads Bødker Christensen
  • 55
  • 3
  • If there is valuable information on this webpage, assume someone will attempt to get unauthorized access to the LAN (even physically if required). Not being connected to the internet will not deter a determined hacker if they have something to gain from it. – Nathanael Nov 20 '18 at 19:17
  • The server controls the lighting in the building. so no information. Just the control of the light. And side note, there is always a Ipad connected to the server, that all people have access to... so not really that secure, even if i put some security on :/ – Mads Bødker Christensen Nov 20 '18 at 19:54
  • There's an [Information Security](https://security.stackexchange.com) stack exchange where experts in the field answer questions like this. – user1118321 Dec 21 '18 at 04:35
  • Hackers can be within the staff personnel too :-) . Or to be people close to them. The question is "can you afford the risk of having no security at all?". Where the app runs at is irrelevant. – Laiv Dec 23 '18 at 21:13

1 Answers1

1

It depends.

If your network is in any way wireless, then people can pretty trivially get access to the bits that way. Modern wireless setups will still obscure things, but older wireless protocols are notoriously easy to decrypt. And of course a modern setup today is an outdated setup after a few years of neglect.

If your server does public things, like say... tell clients what the temperature is in the building, then maybe it doesn't need to be secured. People aren't going to break into your network to get information they could get way easier by just feeling the air around them.

But if your clients are... refrigerators or something that react based on the temperature in the building, then unsecuring the server could let attackers tell your refrigerators that it's already freezing cold! No need to chill that food!

All in all, there are a few isolated cases where security provides no benefit but a lot of cases where it would be good. Basic encryption is easy to set up these days and can stop a lot of casual external problems.

Though you should be aware that statistically, the most likely source of attack is from the staff either due to accident, misuse, social engineering, or internal malevolence.

Telastyn
  • 108,850
  • 29
  • 239
  • 365