Web ssl #282

Closed
wants to merge 3 commits into
from

Projects

None yet

3 participants

@SandyChapman

Based on code / comments in #278

+
+The Locust web interface also supports SSL encrypted connections. This is especially useful
+if, for instance, you're testing an API which may incidentally expose personal information
+or application secrets through the web interface.
@justiniso
justiniso Feb 12, 2017 Member

I don't follow this argument. Any sensitive data would be sent from the locust boxes to the application under load, which depends on the application having SSL. What sensitive data would exist in the UI and how would SSL protect that?

@cgoldberg
cgoldberg Feb 13, 2017 Member

I'm not crazy about the wording either.,, perhaps you can give it another shot.

But the web UI displays the hostname being tested and the url's you are hitting. That might be disclosing more info over cleartext than someone is comfortable with.

@justiniso
justiniso Feb 13, 2017 Member

I still question the value for the wider locust audience. SSL encrypted UI may prevent MITM, but it's irrelevant if the page is unsecured. Related: #284. My concern here is the same as the comment there. In my opinion, it's cleaner and more secure to attach layers of security on top of locust rather than trying to make the locust page secure. If the encryption and auth are important for your organization, the time investment to set up nginx + let's encrypt with basic auth is relatively small.

@cgoldberg
cgoldberg Feb 13, 2017 Member

lets close this then

@SandyChapman
SandyChapman Feb 15, 2017

@justiniso , @cgoldberg : Our use case was to run locust distributed across several AWS EC2 instances. In such a case, the provisioning of SSL and nginx would have additional complexity. I understand if you guys want to keep locust insecure by default and let everyone have to add their own security as you guys may not have the time to maintain these features.

To answer your previous question, sensitive information can appear in the paths being used which are displayed in the UI. For instance, URL encoded forms that may be used for authentication (not that I used this, but there could be APIs that do use it).

I see value in these features specifically because we had a real-life client specifically ask for them (multi-billion dollar corp).

@justiniso justiniso closed this Feb 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment