{"id":2037,"date":"2015-02-26T12:22:47","date_gmt":"2015-02-26T10:22:47","guid":{"rendered":"http:\/\/hasselba.ch\/blog\/?p=2037"},"modified":"2015-02-26T12:35:42","modified_gmt":"2015-02-26T10:35:42","slug":"rest-security-why-http-get-is-insecure-and-the-other-methods-too","status":"publish","type":"post","link":"https:\/\/hasselba.ch\/blog\/?p=2037","title":{"rendered":"REST &#038; Security: Why HTTP GET is insecure (and the other methods too)"},"content":{"rendered":"<p>Yesterday Ren\u00e9\u00a0commented that submitting\u00a0username and password with HTTP GET is insecure, because they\u00a0are submitted in clear text over the wire as part of the URI.<\/p>\n<p>At the first moment, I did not give some thought about it,\u00a0because it is known fact that data added to an\u00a0URI are less secure. They are added to the browser history, are logged in the requests on servers, and every proxy between the user&#8217;s browser and the requested server\u00a0are seeing (and maybe logging) these URI&#8217;s too. That&#8217;s why HTTP GET is problematic:\u00a0The credentials are accidentially spread over the whole world, like any other information which are appended to an URI.<\/p>\n<p>In\u00a0Ren\u00e9&#8217;s example, he pointed out that a\u00a0hotspot provider of a public WiFi can easily grab the URIs (and the credentials), and that&#8217;s the reason why HTTP GET is insecure. But this is not the whole truth:\u00a0As soon HTTP data are going over the wire, the data can be fetched from anyone in the chain of the transport, and it doesn&#8217;t matter which HTTP method is used.<\/p>\n<p>Some clever guys are running\u00a0TOR exit nodes and grab the whole traffic through a transparent proxy, and because they have access to the whole traffic, they are able to fetch credentials from these requests. As long as the data\u00a0are unprotected.<\/p>\n<p>To protect your data, you have two choices: Use HTTPS connections or encrypt the data by yourself (f.e. with <a title=\"ietf.org: JSON Web Encryption (JWE)\" href=\"https:\/\/tools.ietf.org\/html\/draft-ietf-jose-json-web-encryption-40\" target=\"_blank\">JWE<\/a>). Manually encrypting won&#8217;t solve the problem of logging, but it can help to secure the data. But the preferred way is first one, because it solves all the problems of insecure data during their transport, and is really easy to implement. TLS \/ SSL is a layer between the TCP layer and the HTTP layer, and the whole traffic (the HTTP data) is\u00a0encrypted. This includes the URI,\u00a0only the target host is known to everyone involved of the transport<\/p>\n<p>You shouldn&#8217;t use HTTP GET to transfer sensitive informations. The browser history is problematic, and the logs on the target server would contain the requested URIs. When developing a RESTful API you must bear this in mind.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday Ren\u00e9\u00a0commented that submitting\u00a0username and password with HTTP GET is insecure, because they\u00a0are submitted in clear text over the wire as part of the URI. At the first moment, I did not give some thought about it,\u00a0because it is known &hellip; <a href=\"https:\/\/hasselba.ch\/blog\/?p=2037\">Weiterlesen <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61,35,82,81],"tags":[60,90,16,12],"class_list":["post-2037","post","type-post","status-publish","format-standard","hentry","category-rest","category-security","category-server","category-web","tag-rest","tag-security","tag-server","tag-web"],"_links":{"self":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2037","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2037"}],"version-history":[{"count":9,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2037\/revisions"}],"predecessor-version":[{"id":2046,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2037\/revisions\/2046"}],"wp:attachment":[{"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasselba.ch\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}