21

I'm developing a MEAN stack application, and I'm currently setting up an account system. I've seen several tutorials about Authentication, all using JWT.

I am wondering if, JWT could be used as way to secure communication transport over non-secured connection like HTTP?

I've set up HTTPS to communicate from my Angular 4 front-end to my NodeJS + Express back-end, and thus, wondering if JWT are necessary to secure my communications?

Daniele
  • 2,672
  • 1
  • 14
  • 20
Maxime Flament
  • 721
  • 1
  • 7
  • 24
  • 1
    There are 2 different concept of "secure": secure of communication v.s. secure of account and website content. JWT is NOT necessary for HTTPS communication. – shaochuancs Aug 31 '17 at 10:11
  • 7
    JWT **does not** _secure communication transport over non-secured connection like HTTP._ JWT is mainly an authentication system and **should only be used with HTTPS** but JWT does not increase the security level of HTTPS. Maybe your inverted question would make more sense – pedrofb Aug 31 '17 at 11:33

5 Answers5

24

JWT should not be confused with encryption. From jwt.io:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

The JWT is signed with public/private key pairs so the sender can be verified, and verified that the payload has not been modified. However, the JSON Web Token is in clear text.

var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";

var payload = token.split('.')[1];

console.log('Payload: '+atob(payload))

Below is a figure from jwt.io showing the authentication flow when using JWT. enter image description here

You need SSL/HTTPS to encrypt the communication. Without SSL/HTTPS attackers can sniff the network traffic and obtain the JWT, hence your application is vulnerable to man in the middle attacks.

Community
  • 1
  • 1
rckrd
  • 3,124
  • 1
  • 13
  • 23
  • 2
    I think OP is confused on 2 different concept of "secure": secure of communication v.s. secure of account and website content – shaochuancs Aug 31 '17 at 10:10
  • That's it, I wasn't getting the real usage of JWT, that is the fact that it is used to replace **sessions**, and I thought it had the same job than HTTPS – Maxime Flament Aug 31 '17 at 10:15
  • Actually that is JWS (one branch of JWT) whereas JWE (another branch of JWT) actually encrypts the payload. – Michael Aug 08 '19 at 11:35
  • This is the best and most thorough answer. I use JWE for our authentication management because it encrypts ALL the data which then is again encrypted if it is over HTTPS. I feel like this is the best solution. It does have drawbacks. While it does encrypt the entire token along with all data contained in the token (not just the signature,) it makes the token so large (due to the high encryption standard and small amount of data in the token) that it barely fits inside the maximum size of a cookie for most browsers. So, there's that. – Vector Jun 01 '20 at 06:25
  • Yes, I agree , this is the best explanation with regard to the question , especially when JWT can be sniffed using MITM attack, if passed over HTTP , the same goes for Session token based like JSESSIONID cookie for example. – Roshan Aug 31 '21 at 20:50
6

Is JWT necessary over HTTPS communication?

No. Communication protocol (HTTP v.s. HTTPS) is one thing, and authentication mechanism (JWT v.s. Session) is another -- these are 2 totally different area.

For communication protocol (HTTP v.s. HTTPS), HTTPS can be used alone, without any JWT tokens or sessions. For example, a static web site can be made (only HTML+CSS) and served with HTTPS. In this way, the web site can be certificated by CA and prevent forge attack.

Even if you need authentication in web application, JWT token is not the only choice. Session is old technology but it is still reliable, which made JWT definitely NOT necessary.

shaochuancs
  • 15,342
  • 3
  • 54
  • 62
  • Yes it's not necesary, but my question was: is using JWT over HTTPS necesary? But thanks for pointing out that sessions can be used to verify the authentiacation of a user! – Maxime Flament Aug 31 '17 at 10:16
  • @MaximeFlament Well, for "using JWT over HTTPS", I still don't think it's necessary -- of course, it's a good solution, but there are many other good solutions too. Some web site don't even have its own account system and using 3rd-party login service instead -- in this case, the web site does not maintain its own JWT token – shaochuancs Aug 31 '17 at 10:31
  • JWT can be used in through HTTP connections. It just depends on the application context. It can also be encrypted: see https://tools.ietf.org/html/rfc7516 – Spomky-Labs Sep 01 '17 at 07:26
  • 1
    _"JWT can be used in through HTTP connections"_ <- this is an extremely dangerous mention if you don't follow it up with "but don't do that". It's like saying you can stick passwords into a database in plain text. You can, but you sure shouldn't. If you transmit JWTs over clear text HTTP, they can be hijacked, and that means an entire user's session can be stolen. JWTs are sensitive information and should be transmitted as such. **Please transmit your token/session identification information over HTTPS!** – Lo-Tan Aug 31 '20 at 22:19
  • @Lo-Tan totally correct. Transfer token/session identification info over HTTPS. There's an exception - you can use JWT over an insecure communication protocol when JWT secrets is already known by a client in advance – JohnIdlewood Jan 31 '23 at 19:31
3

Nowadays developers prefer Token-Based Authentication instead of Session. Token-Based Authentication has lots of advantages over Session. We use JWT i.e. JSON Web Token to generate a token after user authentication, every time your front-end app makes an API call so your system should check whether the request has a valid token or not if it is there and it is valid then it is considered as the valid user.

In short, we use JWT to validate our API calls it is nothing to do with HTTP or HTTPS

MeVimalkumar
  • 3,192
  • 2
  • 15
  • 26
  • Okay so it's a way to make sure the user is authenticated and validate its authentication when requesting a service in my back-end that requires being authenticated? I've seen several videos/tutorials (see: https://jwt.io/introduction/) telling that JWT are used to secure communication over HTTP because they're encrypting the data that is transported, and they can ensure that the data wasn't modified, i.e., its integrity hasn't been compromised – Maxime Flament Aug 31 '17 at 09:43
  • That too correct. Watch this. https://www.youtube.com/watch?v=K6pwjJ5h0Gg – MeVimalkumar Aug 31 '17 at 09:50
  • JWT may be better than Session, but it is definitely NOT necessary. – shaochuancs Aug 31 '17 at 10:07
  • Please read http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ and http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/ – Spomky-Labs Sep 01 '17 at 07:23
  • 2
    This really doesn't answer the question, which is about the security of information exchange using JWT over encrypted/non-encrypted protocols... – duhaime Jul 16 '19 at 10:36
3

No, JWT is not required when your server supports HTTPS. HTTPS protocol ensures that the request & response are encrypted on the both(client & server) the ends.

I believe you would want to send across user credentials in every request to the server, and in turn server validates the user before sending any response from the server.

Although you can do the above, but on the server-end, you would end up validating user credentials against a Database in every request which is a expensive task, you can avoid this when you use JWT.

JWT basically authenticates a user once & issues an access token which could be valid for a duration of time.

user3785966
  • 2,578
  • 26
  • 18
  • 1
    No, I don't want to leak users credentials.. That's a really huge vulnerability! I wanted to cipher the data exchanged between clients and an API, thus, HTTPS can do the job. However, I also needed to ensure that users are authenticated. In a stateless configuration, where sessions don't exist, JWT is a solution because this "protocol" has an authentication property + it guarantees the integrity of the message. – Maxime Flament Nov 12 '18 at 16:49
  • The last property I was looking for was the identification property, which is provided by HTTPS certificates validation (done on client side, when receiving the domain's certificate). When I say "identification property", I'm using the crypto meaning of this word, i.e., a machanism to ensure that data received by Bob from Alice has actually been sent by Alice (and not by an attacker faking he's Alice). – Maxime Flament Nov 12 '18 at 16:50
0

I'm new to JWT. Here is my scenario of an attack of JWT when it's in the http instead of https. Suppose a JWTa is issued to userA for accessing resource A on the server. A hacker is also a legal user of the server, he got JWTh to access resource H. Without the https protection, the hacker can sniffer the network and get the JWTa in the http header from A's request and put it into the hacker's request. Since JWTa is a valid token, so the hacker can access resource A. I guess the JWT protocol can prevent this, but I don't know how. After the signature is verified, the claim also needs to be verified. Seems the "aud" can prevent this, but I don't know how it works exactly.

Wqh
  • 75
  • 1
  • 10