On Monday 14 September 2009 07:20:29 pm Sj Tib wrote:
I have joined a development group where developers have created a “REST”
interface that passes username and password as parameters (with every
call) though the call is made over https e.g.
Ew. But no real problem there.
It is not truly a REST
interface as they have designed it to make all calls as POST (instead of
using the other HTTP verbs like PUT/DELETE/GET).
So they’re using POST and a querystring?
I am not comfortable
with the username and pwd being sent in with every HTTPS call - doesn’t
This is how HTTP Authentication often works.
- Even if it is a POST with https can’t someone see the username and
password in the url going over the network?
No, unless you’re using a proxy server.
I am assuming the network
sees the url in deciding where to forward it to.
Not at all.
Basic way this would work, at a low level:
- You tell your HTTP library to fetch
- The library asks your dns server what foo.com is.
- The dns server returns an IP address, call it 22.214.171.124.
- The library opens a secure (encrypted) connection to 126.96.36.199.
- The library sends “POST /bar/baz?user=smith&pwd=god HTTP/1.1” over
- The library sends a few newlines, then the body of the post.
- 188.8.131.52 sends the response over the secure channel.
Keep in mind, by “http library”, I mean “code running inside your
So, the only thing the network can see is:
- You asked for foo.com
foo.com is 184.108.40.206
- You connected to 220.127.116.11
- You had some sort of encrypted communication with 18.104.22.168. (Or maybe
garbage, who knows?)
That’s it. Every part of the URL after the hostname is sent over the
encrypted channel as the POST body. (Again, unless you’re using a
Is it any more/less
vulnerable if GET/PUT/DELETE is used with https and the username/pwd is
passed in url?
It’s still ludicrously bad design – you should be authenticating with a
cookie or with HTTP authentication, not with the URL or the post body.
it’s not particularly insecure inside a REST call, assuming that call is
made deep inside the app.
However, there are a few potential vulnerabilities, if you do this in a
browser. The most obvious one is, the URL (complete with username and
password) is now in your history. Some people won’t care – I click
password” a lot.
But some people don’t save passwords, or would like to be able to use a
computer without the password sticking around. And I certainly wouldn’t
any shoulder-surfer to be able to read my password right out of the URL.
If every REST
call is an https call won’t there be significant processing overheads
not only on the server side but also on the PDA client side?
Depends. Do you value your clients’ data? Yes? Use https.
On the server side, you can put an https proxy in front of it. You can
get machines which will do this in hardware. It’s pretty much a “throw
at it” kind of problem. Again, ask yourself – do you value your
data? Is your clients’ data worth that expense? Probably.
On the client side, it’ll drain slightly more battery on an iPhone, but
nothing significant, especially compared to what you’re already doing
the HTML, applying styles, doing animations, etc etc.
It’s worth mentioning that, depending on the sensitivity of the data
you might be able to improve performance by switching to something as
HTTP challenge/response, and using straight HTTP. Anyone will be able to
intercept/mangle the data itself, but they won’t get your password, and
could always force HTTPS for any destructive operations, or for anything
But, if you use a session cookie, you’ll want HTTPS again, because any
eavesdropper can now hijack your session and use that to login.
- What is the best practice security model to be used with REST API
when the interface will be opened up to the world for all kinds of apps
to be built on top of it? (Not planning on OAuth as the data is not
expected to be consumed by other website apps)
In my opinion, abstract the authentication away, and never put it in the
– it’s just bad taste. Once properly abstracted, you should be able to
what Rails does with restful_authentication – you can transparently
http or https (whichever the client wants) or force one or the other,
can transparently support HTML form + cookie authentication, HTTP
authentication, CAS, or anything else you care to implement.
Anyone accessing this from a web browser probably wants to use HTML and
cookies, while anyone accessing this as an API would probably find it
use HTTP auth. People in the outside world should use HTTPS (and you can
it), while anything inside your network (or on the same machine) could
probably use HTTP.