K2 relies on HTTPS to secure communication between browsers and the server
KB003676
PRODUCTHTTPS provides a general level of security that makes it difficult for malicious entities to intercept, decrypt, and change users' traffic. K2 Five, K2 Cloud, and many other platforms that have a web-based user interface rely on HTTPS for this security.
System administrators must configure their K2 installations to only be available over HTTPS with a valid certificate from a trusted certificate authority. They must configure the underlying servers with best practices in mind: making sure the servers only allow TLS 1.2. and configuring HSTS which will help make sure HTTPS is always used over the most secure connection.
The security of HTTPS also depends on user actions. Users must not accept or trust connections to sites where the browser indicates there is something wrong with the site’s certificate. The security of HTTPS is also compromised if a malicious entity controls a user's internet/network connection.
If you need to connect to business-critical systems in public wi-fi scenarios like an internet cafe, it is best practice to use a VPN connection. Doing so ensures a compromised network is unable to intercept traffic.
While HTTPS ensures that traffic can’t be easily intercepted and modified by another user or malicious entity, it does not prevent a user from intercepting their own traffic and compromise the security HTTPS provides. They can set up a local proxy and trust its certificate, and then configure their browser to make connections through the proxy. This allows the proxy to view, intercept, and modify the HTTPS traffic. This is true for most platforms that have a web-based user interface.
Because of this local proxy security issue, K2 solution designers must understand that client-side rules and validation, like those available through SmartForms, cannot ensure data security. Security of data, whether it is for validation of the data integrity, or ensuring authorized access to data, must be built into the data layer in the server-side component, where interception of HTTPS traffic is unable to bypass the security.
For general information about HTTPS, refer to https://https.cio.gov/faq/.
Additional information can also be found at https://en.wikipedia.org/wiki/HTTPS.