Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Morning! You’re sort of begging the question :slightly_smiling_face: Is it safe to do this thing that’s safe to do? :smile:

The questions to ask are: What makes it safe using HTTP there? How are you protecting that traffic, and what are the threats?

Ahah yes, I’ve written my message too fast :smile:

The questions are:

• Should I setup HTTPS for lines of connection 1,2,3 ? Can 4 be just HTTP since it’s in a private subnet inside a VPC ?
• If yes, what are you recommending using for having HTTPS through 1,2,3 ?

But if (4) is in a private subnet then I would imagine it’s low risk. It might be worth considering what the threats might be in the VPC and writing them down to assess, and if you deem them low risk in your use case (e.g. you’re not a bank or a military supplier) then write that down too and show it to your friendly neighbourhood pen tester when you get them in to check the system.

FWIW I agree with Robert.
It always helps to do some threat modelling!
See this talk from Ory Summit on the topic as well :slightly_smiling_face:
<https://www.youtube.com/watch?v=yHf9Z-eKc0U>