5

I am actually trying to send SMS using CDYNE and their API. To do that, I am using Java and HttpGet and HttpClient object (Httpcore and HttpClient libs). I am sending the request to an https URL, sending the parameters like https://www.example.com/SecureREST/SimpleSMSsend?PhoneNumber=ABC&Message=XYZ

Would it be a security issue that I am using a GET request and that all parameters are in the URL it self? What if the content of the Message parameter in the URL contains sensitive informations? Could someone sniff the network to get hold of the content or is is safe since the request is sent using HTTPS?

My believe is that only the www.example.com is visible during the handshake process and that once this is done, everything is encrypted but I just want to make sure.

Bruno
  • 119,590
  • 31
  • 270
  • 376
dukable
  • 3,968
  • 11
  • 31
  • 42
  • 3
    +1 for asking, instead of simply assuming it's probably secure. – Tony Ennis May 14 '12 at 19:38
  • 2
    Install http://www.wireshark.org/ and checkout yourself what is sent on the network – Kristian May 14 '12 at 19:40
  • As far as I remember your understanding is correct. www.example.com is only part visible during handshake. – kosa May 14 '12 at 19:41
  • possible duplicate of [With HTTPS, are the URL and the request headers protected as the request body is?](http://stackoverflow.com/questions/8858102/with-https-are-the-url-and-the-request-headers-protected-as-the-request-body-is) – Bruno May 14 '12 at 21:16
  • @TonyEnnis -1 for not checking whether the question had already been asked. There are multiple duplicates for this question. – Bruno May 14 '12 at 21:17
  • @TonyEnnis, you're probably right, I was a bit harsh for a newcomer. Sorry. – Bruno May 14 '12 at 22:45
  • 1
    Here the problem isn't so much about the HTTPS encryption, but the design of the API. If making a GET request sends an SMS, it will have side-effects, which is against the HTTP spec: GET requests are meant to be idempotent. – Bruno May 14 '12 at 22:48

1 Answers1

3

Wikipedia is pretty clear about this:

Note that when a client sends an HTTPS request, the hostname and port of the URL are unencrypted... However, all other parts of the HTTPS request, including the URL path and query parameters, can only be decrypted by the destination site or by an interposing intermediary that terminates the HTTPS connection on behalf of the site.

So your belief is right. Only the hostname and port are openly visible; the rest of the URL is encrypted.

David Webb
  • 190,537
  • 57
  • 313
  • 299
  • 3
    Wikipedia is also pretty wrong about this. The entire request is encrypted. The intruder can detect *by other means* which ip:port is being connected to, etc, but certainly not via the contents of the request. The Wiki paragraph concerned was only added last week and it is about to disappear. – user207421 May 15 '12 at 01:40