S
Sj Tib
Folks,
I have joined a development group where developers have created a "REST"
interface that passes username and password as parameters (with every
call) though the call is made over https e.g.
https://<baseurl>?user=<username>&pwd=<password>. It is not truly a REST
interface as they have designed it to make all calls as POST (instead of
using the other HTTP verbs like PUT/DELETE/GET). I am not comfortable
with the username and pwd being sent in with every HTTPS call - doesn't
feel right - but I don't know how the data gets transferred over the
network (the url parameter data vs. the real posted data) and have
couple questions.
1. Even if it is a POST with https can't someone see the username and
password in the url going over the network? I am assuming the network
sees the url in deciding where to forward it to. Is it any more/less
vulnerable if GET/PUT/DELETE is used with https and the username/pwd is
passed in url?
2. The REST API will be used by business partners for now but will be
opened up for Apps on iPhone and other PDAs down the road. If every REST
call is an https call won't there be significant processing overheads
not only on the server side but also on the PDA client side?
3. What is the best practice security model to be used with REST API
when the interface will be opened up to the world for all kinds of apps
to be built on top of it? (Not planning on OAuth as the data is not
expected to be consumed by other website apps)
Thanks for your help or any pointers you can provide.
-S
I have joined a development group where developers have created a "REST"
interface that passes username and password as parameters (with every
call) though the call is made over https e.g.
https://<baseurl>?user=<username>&pwd=<password>. It is not truly a REST
interface as they have designed it to make all calls as POST (instead of
using the other HTTP verbs like PUT/DELETE/GET). I am not comfortable
with the username and pwd being sent in with every HTTPS call - doesn't
feel right - but I don't know how the data gets transferred over the
network (the url parameter data vs. the real posted data) and have
couple questions.
1. Even if it is a POST with https can't someone see the username and
password in the url going over the network? I am assuming the network
sees the url in deciding where to forward it to. Is it any more/less
vulnerable if GET/PUT/DELETE is used with https and the username/pwd is
passed in url?
2. The REST API will be used by business partners for now but will be
opened up for Apps on iPhone and other PDAs down the road. If every REST
call is an https call won't there be significant processing overheads
not only on the server side but also on the PDA client side?
3. What is the best practice security model to be used with REST API
when the interface will be opened up to the world for all kinds of apps
to be built on top of it? (Not planning on OAuth as the data is not
expected to be consumed by other website apps)
Thanks for your help or any pointers you can provide.
-S