Application to Internet - Grabbing/Sniffing Question

Is it possible to grab/sniff communications between a local application and a server? We have an application in development which resides locally but gets all of its data from php/mysql scripts. Some of the material is sensitive. Should my application call http:// or https:// pages? Is the SSL concern only present in browser-server interactions?

Firstly, yes it is possible to sniff data between an application and a server, but it depends on the setup. e.g. if every computer which is going to connect to your server for data is connected directly to the router via a cable (i.e. not wifi), then the chance of people being able to sniff the traffic on the local side are very limited. if on the other hand you anticipate people trying to access the data from unsecured wifi networks, then things are definitely sniffable. It all depends on the setup, primarily on the user end, since most attackers will not have access to your server's LAN, right? And there is almost zero chance that an attacker has access to your ISP, or any of tier 1 ISPs through which traffic is going to get routed.

If you're sending sensitive data then encryption is a good idea. Whether you do that via SSL or something else depends on your situation. The only vulnerability (that I know of, correct me if I'm wrong) that exists in SSL is that it like all asymmetric encryption schemes (and SSL uses asymmetric key cryptography to negotiate a key for the symmetric encryption which is used for the length of the connection) it is vulnerable to Man in the Middle (MITM) attacks, where the attacker intercepts communication between the server and client (ARP cache poisoning is a possibility to cause MITM attacks).

So unless you foresee someone being able to execute MITM attacks on the client end, then SSL is a good way to send your data.

But if you do use SSL your traffic will _not_ be vulnerable to passive attacks such as sniffing.

Thanks a ton!