I currently have a group of web-services exposing interfaces to a variety of different client types and roles. Authentication is handled through a public/private key pairs (RSA) only to verify the URL as signature in the HTTP Header.
At this time the HTTP Body is not encrypted (I use a private/public key of 2048 bit which allows me to encrypt only small amounts of information), so RSA is not enough safe because the server can no longer prove to himself that there's not a Man-In-The-Middle. I can encrypt also the HTTP body, but what about performance?
My question is: what techniques are recommended to prevent a MITM attack in this case?
Best Answer
There is absolutely no point in using HTTPS if you don't encrypt the entire authenticated session. If any point you transmit the session id over an insecure channel then an attacker can use this to authenticate (Like Firesheep). Further more you are violating OWASP a9.
From a performance perspective the most expensive part of SSL is the initial handshake. This is cached and there for only done once per client.
Another thing to keep in mind is that if you want to stop SSLStrip style attacks then you should set the STS-Header.