API security question: SSL or more?

I am developing an API for a web application. Desktop client开发者_运维问答s will interact with the API using simple HTTP posts (REST). I will be using SSL, there is no question about that. My question is this: should I also be encrypting the data before it is sent over SSL? The information being sent may contain confidential information. Is SSL enough or should I be doing more? My only concern with adding additional layers of security is that it will make it substantially more difficult for people to interact with the API. Any thoughts on this would be much appreciated.

No, SSL provides strong encryption as it is. Just make sure you force clients to use HTTPS, and if you're really paranoid, check if the cypher is strong enough.

The only reason you'd want to encrypt a second time is if your web application passes the data straight on to some other system. In that case, you could keep the web application ignorant of the actual data and provide end-to-end encryption between the client and the final destination.

If you trust your certification authority, your clients do, and your key is sufficiently secure (RSA 2048 will not be breakable for a while), there are no problems at all with SSL. You don't need to encrypt your data before SSLing, as SSL itself provides encryption.

If this API is to be used over the internet, the list of certification authorities here will be useful to you in choosing one.

You can also have your clients authenticate over SSL, with SSL client certificates.

IMHO, I would not add another layer of encryption on top of the already existing encryption. It will add overhead and as you say, complexity to the API. SSL exists to send secure data between two nodes, so why reinvent the wheel?

As Shtééf already pointed out, if you need end-to-end encryption instead of point-to-point then you need encryption. Other cases this might be relevant in is if your client application communicate with the server through integration services and service busses. In this case the SSL encryption is not enforced while the message is in an intermediary node and that node may do whatever it wants with the unencrypted confidential data.

Furthermore, if your clients use these integration services then they might not enforce SSL connections between the client and the integration service.

While working with highly confidential information I tend to go for end-to-end security instead of SSL encrypted communications channels for this reason.

Yes. SSL would help with man-in-the-middle and wiretapping but there are other attacks SSL won't help with such as replay attacks.