views:

3537

answers:

9

I am creating a secure web based API that uses HTTPS however if I allow the users to configure it (include sending password) using a query string will this also be secure or should I force it to be done via a POST?

+10  A: 

Yes. The entire text of an https session is secured by SSL.
that includes the query and the headers.
In that respect, a POST and a GET would be exactly the same.
As to the security of your method, There's no real way to say without proper inspection.

shoosh
JoeBloggs
+1  A: 

Yes, from the moment on you establish a HTTPS connection everyting is secure. The query string (GET) as the POST is send over SSL.

Drejc
+5  A: 

see this post on SO... http://stackoverflow.com/questions/190771/how-secure-is-sending-sensitive-data-over-https

Thank you this has confirmed that the info in the question marked as correct is valid.
John
+9  A: 

From a "sniff the network packet" point of view a GET request is safe, as the browser will first establish the secure connection and then send the request containing the GET parameters. But GET url's will be stored in the users browser history / autocomplete, which is not a good place to store e.g. password data in. Of course this only applies if you take the broader "Webservice" definition that might access the service from a browser, if you access it only from your custom application this should not be a problem.

So using post at least for password dialogs should be preferred. Also as pointed out in the link littlegeek posted a GET URL is more likely to be written to your server logs.

VolkA
A: 

SSL first connects to the host, so the host name and port number are transferred as clear text. When the host responds and the challenge succeeds, the client will encrypt the HTTP request with the actual URL (i.e. anything after the third slash) and and send it to the server.

There are several ways to break this security.

It is possible to configure a proxy to act as a "man in the middle". Basically, the browser sends the request to connect to the real server to the proxy. If the proxy is configured this way, it will connect via SSL to the real server but the browser will still talk to the proxy. So if an attacker can gain access of the proxy, he can see all the data that flows through it in clear text.

Your requests will also be visible in the browser history. Users might be tempted to bookmark the site. Some users have bookmark sync tools installed, so the password could end up on deli.ci.us or some other place.

Lastly, someone might have hacked your computer and installed a keyboard logger or a screen scraper (and a lot of Trojan Horse type viruses do). Since the password is visible directly on the screen (as opposed to "*" in a password dialog), this is another security hole.

Conclusion: When it comes to security, always rely on the beaten path. There is just too much that you don't know, won't think of and which will break your neck.

Aaron Digulla
A: 

What about this: the user browser's URL (query string) contains a parameter with sensitive information while in HTTPS session and submitted. But, suddenly, the user stops the HTTPS session and starts typing a new URL of another website. Does the other website see the referred page's URL from the previous HTTPS session?

Oh, nevermind. It's already answered in the given link by littlegeek. My bad!

+42  A: 

Yes, it is. But using GET for sensitive data is a bad idea for several reasons:

  • Mostly HTTP referrer leakage (an external image in the target page might leak the password[1])
  • Password will be stored in server logs (which is obviously bad)
  • History caches in browsers

Therefore, even though Querystring is secured it's not recommended to transfer sensitive data over querystring.

[1] Although I need to note that RFC states that browser should not send referrers from HTTPS to HTTP. But that doesn't mean a bad 3rd party browser toolbar or an external image/flash from an HTTPS site won't leak it.

dr. evil
+1  A: 

I don't agree with the statement about [...] HTTP referrer leakage (an external image in the target page might leak the password) in Slough's response.

The HTTP 1.1 RFC explicitly states:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

Anyway, server logs and browser history are more than sufficient reasons not to put sensitive data in the query string.

Arnout
There's that word 'should' again. Would you trust every version of every browser with your password?
JoeBloggs
How exactly is this related to GET vs POST?Would "every version of every browser" be safe if you're using POST over HTTPS?
Arnout
Besides, the HTTPS web page might be retreiving an external image *over HTTPS* - in which case, the browser SHOULD include the referer header, and thus expose your password...
AviD
+2  A: 

Yes, as long as no one is looking over your shoulder at the monitor.

Ali A