2

I'm in the process of designing a REST Api and we're trying to decided how to do encryption. We are currently using https for all request/responses however various logs (dns, browser, ...) will log the plain text url. This raises an issue when we're sending sensitive data in the url, such as "www.mysite.com/user/credit-card-number/". Is there a way to leverage the SSL/TLS public/private keys to encrypt path parameters? For example, "www.mysite.com/user/credit-card-number/" turns into "www.mysite.com/encryptedstring".

dpayne
  • 21
  • 1
  • 2
  • Is it a requirement to include the cc number in the URL? – Jeremy Jul 10 '12 at 22:05
  • I don't understand why do you need it. But if you want your client to encrypt using public key (from server certificate) and the server to decrypt it using its private key then [here's an example in Python](http://stackoverflow.com/a/7670551/4279). – jfs Jul 10 '12 at 22:53
  • The python example is similar to what I want to do. Would this be considered secure enough to use in a large scale project? – dpayne Jul 10 '12 at 23:08
  • @dpayne: v1 padding might be required to be replaced with oaep padding, it depends on the whole usage scenario. [Read this](http://chargen.matasano.com/chargen/2009/7/22/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing.html), it about aes but the same logic applies to rsa. I agree with Jeremy. It might be possible to secure the data in the URL but it is not worth it if you can just avoid putting sensitive info there in the first place... – jfs Jul 14 '12 at 00:52
  • ... RESTful design suggests that your client code shouldn't change even if you replace your urls by random blobs (though it makes initial implementation more complex). – jfs Jul 14 '12 at 00:52

2 Answers2

2

I would highly recommend that you not put sensitive data in the URL. If you need something identifying, you could at least use a randomly generated String/UUID/token/whatever that maps to whatever it is that is being identified.

Handling manual encryption/decryption would depend on what language/framework you are using. For example, if you were using Java, then do some google searches on JSSE, which is Java's framework for SSL/TLS.

If you're looking for something to automajically do the encryption/decryption for you, I would think that would also depend on the framework you are using.

Jeremy
  • 1,015
  • 4
  • 11
  • 20
  • We don't want to put sensitive data in the url. I know that it's possible to generate a token and use that in the url instead, however this requires work from both the client and developer for every request. What I'd like is to add an encryption section to our current REST API framework that will use the SSL key to encrypt the url before the request is sent. This way the encryption would be transparent to the client/developer since the framework is taking care of it. – dpayne Jul 10 '12 at 22:44
0

If I understand correctly, you are asking if urls are encrypted over an SSL/TLS channel. The answer is yes as this SO question points out. Over TLS, everything is encrypted between the client and server except the IP address and port of the targeted server. (This includes the http headers as well.)

EDIT: After reading again, I see that you are interested in stopping the the URL being logged. I'm pretty sure the only way to do this is to change the url on the server. Not much help, but my suggestion is don't put the cc number in the url or use some kind of derived key instead.

Community
  • 1
  • 1
Davin Tryon
  • 66,517
  • 15
  • 143
  • 132
  • I understand that TLS encrypts everything, but the DNS logs and the browser logs (especially for GET requests) will store the unencrypted url. Further down in that same post Zach Scrivena mentions that many DNS server logs do this. – dpayne Jul 10 '12 at 22:47