1

So now that we can call HTTPS functions directly from client side, I'm wondering if I can use it for sensitive transactional requests and if it's safe. Before I was using forms with POST method but this could make things much simpler.

Is the call from the beginning to the end encrypted?

TheBen
  • 3,410
  • 3
  • 26
  • 51

2 Answers2

6

It may not be obvious at first, but you're asking a lot of questions here. It may take some time to unwind your concerns

First of all, both Cloud Functions HTTPS functions and callable functions are encrypted. In fact, all traffic in and out of Google is encrypted. That is the norm, and you can't even disable that if you wanted to. However, encrypted traffic doesn't necessarily mean that it's "safe". Encryption just guarantees that there can be no man-in-the-middle attacks that are eavesdropping or changing the content on the way in or out.

Encryption doesn't prevent someone from simply invoking the function directly from their own code. For HTTPS and callable functions, it's very much possible for anyone to invoke your function directly. There are no requirements that the call must be coming from your app or your web site. If this is a requirement for you, you need to perform some checks in your function itself to ensure that the call is valid.

With HTTP type functions, you can require that the caller send an authentication token with the request. Then, you can validate the token in your function, and proceed only if everything looks OK to you. There is an example of this in the official samples.

With callable type functions, an authentication token is automatically added if the user is logged in with Firebase Auth. The token is automatically validated as well. All you have to do is check to see if the user is allowed to do whatever it is the call wants to do.

"Safety" is not just about encryption. It includes both authentication and authorization as well.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • when requesting through a proxy, at least the requested HTTPS URL would be exposed... therefore it depends if a client (wherever it may be located) is behind a proxy, whether or not. adding further security measures is therefore required. – Martin Zeitler Aug 24 '18 at 13:50
  • @MartinZeitler HTTPS can not be relayed through a proxy with its contents exposed to the proxy. https://stackoverflow.com/questions/516323/https-connections-over-proxy-servers – Doug Stevenson Aug 24 '18 at 13:53
  • that may be, but the initial request (which tells the URL) would still hit the proxy... just alike an application layer firewall can intercept just anything, even of not on layer 3. – Martin Zeitler Aug 24 '18 at 13:56
  • @MartinZeitler That's not the way it works. The entire transmission is encrypted from start to end. The proxy isn't told the URL. https://stackoverflow.com/questions/499591/are-https-urls-encrypted – Doug Stevenson Aug 24 '18 at 14:03
  • this might not apply in any scenario, because else one could not block certain `HTTPS` destination addresses on a firewall. – Martin Zeitler Aug 24 '18 at 14:44
  • @MartinZeitler You don't need the full URL to determine the destination, just the IP address of the remote service to contact. I suspect you're being overly paranoid about what can happen at the proxy. – Doug Stevenson Aug 24 '18 at 14:46
  • it's transparent vs. non-transparent proxy... while with client-side security applications, there might still be access to the requested URL (not on the basic level, but before it is even being requested)... or within Chrome extensions, one can access those, too... don't think it's paranoid, rather that it's not entirely impossible, despite the attack vector is rather small. can confirm, that HTTPS firewalls can only filter host-name or IP. – Martin Zeitler Aug 24 '18 at 15:07
  • Thanks for your input, I was essentially thinking of the same thing that's being discussed here. – TheBen Aug 24 '18 at 15:48
1

The documentation you refer to explicitly mentions that Callable Functions are HTTPS ones, so yes the call is encrypted from end-to-end.

The Cloud Functions for Firebase client SDKs let you call functions directly from a Firebase app. To call a function from your app in this way, write and deploy an HTTPS Callable function in Cloud Functions, and then add client logic to call the function from your app.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121