Reputation: 1724
Is passing username/password in http string safe for this API?
Reading over http://getpocket.com/api/docs/
Is it safe to pass a password through the HTTP string? My understand is that this is not safe, even though it's HTTPS. Correct?
Upvotes: 3
Views: 993
Answers (2)
Reputation: 4675
The API documentation states that you're passing over HTTPS. Actually all of the information whether GET or POST in the HTTP Header is part of the SSL Transport therefore the URL parameters are encrypted as well, so your GET parameters are encrypted. What can't be guaranteed is what your client will retain. Or if there was some other process that exposed some information such as when your server did a DNS lookup for the host name. Another example is if you have a browser and it keeps a history of everything you type in it including your https urls then you may compromise your security.
Below is the HTTP Header, your client will initiate a TCP connection and send something like the following:
GET /tutorials/other/top-20-mysql-best-practices/ HTTP/1.1
Host: net.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache
SSL will dictate that all that information is encrypted along with anything that is sent back. I would say you're safe using this API, the only difference between the GET and the POST methods would be that in the POST the parameters would be in the body whereas with the GET the parameters are in the header. In both cases all the sensitive information is encrypted.
Upvotes: 2
Reputation: 13945
I agree in principle that it sounds unsafe. URLs can end up in all kinds of funny places in plain text (even over HTTPS), like logs. It would be best to avoid having it in plaintext anywhere.
You should probably talk to the API authors about whether there is an alternative strategy. For example, it looks like some of those methods support both POST and GET, in which case you could possibly POST password details, which is a relatively safe thing to do over an HTTPS connection.
Upvotes: 1
Related Questions
- Is accepting auth tokens as parameters secure?
- Security - is it ok to send a username and password via HTTP GET?
- Is username and password in HTTPS URL secure?
- Is it ok to send login details over GET request using SSL
- Using a RESTful API - Is it secure?
- Is this Security/Authentication ok for my REST API?
- Authentication security concerns
- Can a username and password be sent safely over HTTPS via URL parameters?
- Is it secure to pass login credentials as plain text in an HTTPS URL?
- How to pass credentials securely in a http url?