1

The following plain java code is calling some web service API:

String url = "https://my_web_service/some_function?password=my_password";
InputStream is = new URL(url).openStream();
BufferedReader rd = new BufferedReader(new InputStreamReader(is, Charset.forName("UTF-8")));
String result = readAll(rd);  //result is also sensitive data!

Does it's a safe way to transmit & get sensitive data? Assuming arguments like this not relevant:

"SSL is secure, but remember that any encryption can be broken if given enough time..."

Thanks,

michael
  • 3,835
  • 14
  • 53
  • 90
  • 1
    Yes, it is safe since query parameters are encrypted by SSL certificate's key. Use google search next time, your question isn't anything unique. – Andremoniy Aug 20 '16 at 10:24
  • @Andremoniy Yes it's **encrypted**. No it's not safe. It's explained it the duplicate you posted. – Tom Aug 20 '16 at 22:22

1 Answers1

2

While you are using modern ciphers, you can consider SSL secure. It is still vulnerable to man-in-the-middle attacks though - certificate pinning and other practices are designed to prevent these attacks.

Another issue in your is that you are passing password as a query parameter - it's better to pass it in the request body. Otherwise it will be printed in the server access logs and client logs (probably).

If it was a web page, not the web service it will also be stored in browser history, bookmarks, e.t.c.

bedrin
  • 4,458
  • 32
  • 53
  • Ok, so I'll move request params to body. But what about the response? Is "By definition" it's OK in above case? Thanks, – michael Aug 20 '16 at 10:34
  • 1
    @michael yes, response body is ok. – bedrin Aug 20 '16 at 10:47
  • @bedrin "passwords in urls are a bad idea", one more reason: securityweek.com/hackers-can-intercept-https-urls-proxy-atta‌​cks – Tom Aug 20 '16 at 12:55