tags:

views:

235

answers:

2
+2  Q: 

Are there any security implications when embedding a username/password in an rss feed URL?

I noticed that when I added the FogBugz RSS Feed to my iGoogle page I had to embed my username and password in the feed URL. So are there any security risks associated with doing this?

EDIT: Yes, my question should have specifically stated https and whether or not the query string portion of the url is encrypted.

+2  A: 

If it's not a HTTPS url then yes.

If not it doesn't mean your account has been compromised yet but you're sending authentication information over an unencrypted channel... you're asking for it.

If it is HTTPS you're fine. HTTPS urls are encrypted.

Spencer Ruport  2009-08-01 01:32:41
So if HTTPS encrypts the url it must just encrypt the query string portion?
David Glass  2009-08-02 02:17:21
HTTPS establishes the connection SSL before transmitting anything about the URL. The only information that is exposed is the server address it is connecting to.
Danny  2009-08-02 03:29:05
@FUD: Yeah the protocol stack goes something like IP->TCP->SSL->HTTP. So really, aside from the fact that the standard HTTPS port is 443 they can't even know for sure what protocol you're using.
Spencer Ruport  2009-08-02 09:36:09
OK, so it cannot be intercepted, but could the data be logged in plaintext serverlogs on the receiving HTTPS server, and quite possibly also in browser history. How about the url being available to browser plugins and possibly even other applications on the client computer?
David Glass  2009-08-02 12:37:56
You can't know for sure. Whether or not there are logs for HTTPS url depends on the server and whether or not your browser logs the information depends on the browser.
Spencer Ruport  2009-08-02 22:26:58
+1  A: 

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

pand0ra  2010-10-13 23:04:53

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security