> how many of you don't terminate SSL at load balancer?
Oof, this just reminds me of the whole PRISM thing [0] where NSA was tapping inter-DC fiber links and Google wasn't encrypting (some of) the traffic between DCs
Yep, if you are Google you should put in place every layer of security you can think of and then double them.
But there's only a few Google around.
Besides, NSA can (and probably already is) collect encrypted streams and then try to break them offline.
Real time is not an hard requirement for them.
if what you are doing doesn't require secrecy, HTTP could suffice.
Imagine you built an app for weather reporting, the app downloads static json from a server using the hardcoded ip address.
HTTPS would add no benefit, worst that can happen is that someone hijacks the ip address (for some of the users, it's not possible to do it worldwide) and point the app to the wrong jsons, that might or might no be valid for the app.
Which is a lot of effort to break a weather app...
Oof, this just reminds me of the whole PRISM thing [0] where NSA was tapping inter-DC fiber links and Google wasn't encrypting (some of) the traffic between DCs
[0] https://slate.com/technology/2013/10/nsa-smiley-face-muscula...