0

We have created sample web api and hosted in azure. In that we have many get and Post method. We have to get the response through API by passing some sensitive data like SSN and etc. We felt that third party can view the query parameter values. So Is the SSL can resolve issue? or some method is there to fix it simple?

Vidhselva
  • 117
  • 2
  • 15
  • 2
    http://info.ssl.com/article.aspx?id=10241 read first 2 sentences please – Samvel Petrosov Jul 21 '17 at 10:46
  • 3
    SSL/TLS of course mitigates the risk of a third party reading your information, but please be aware that passing sensitive information inside the query string is always a bad idea. Query string will be visible inside browsers, can be cached, may be stored in logs, etc. Those are all security issues. – Federico Dipuma Jul 21 '17 at 10:50
  • 1
    Use SSL/TLS which encrypts the communication but send sensitive data in the http message body and not the URL/Query string. – Igor Jul 21 '17 at 10:55
  • 1
    TLS 1.2 already supports 128-bit and 256-bit AES. Just enable HTTPS and configure it to use the stronger algorithms – Panagiotis Kanavos Jul 21 '17 at 11:17
  • 1
    Check [these instructions](https://learn.microsoft.com/en-au/azure/app-service-web/app-service-app-service-environment-custom-settings) on how to disable anything less than TLS 1.2 on Azure and use specific cipher algorithms – Panagiotis Kanavos Jul 21 '17 at 11:22
  • 1
    Also check [this SO question](https://stackoverflow.com/questions/42279777/how-to-know-if-an-azure-server-is-under-tls-1-2). Your site may already useTLS 1.2 simply because of Azure's default settings. The answers show how you can disable weaker TLS versions in code (by setting a specific TLS version) and configure your environment – Panagiotis Kanavos Jul 21 '17 at 11:25
  • 1
    A word of caution - encrypting the connection and URL isn't enough. You should ensure sensitive information isn't stored in application or web server logs. With IIS, you can simply [disable logging of the URI query](https://technet.microsoft.com/en-us/library/cc754702(WS.10).aspx). With application logs, eg with log4net, you should take care to *avoid* storing entire requests, objects or variables. – Panagiotis Kanavos Jul 21 '17 at 11:42
  • You should use filters or appenders that sanitize sensitive information to avoid even accidental logging. Logging entire requests is *very* helpful when troubleshooting or replaying requests. You may forget to lower the logging level after a debugging session, or forget to delete the trace/log files. – Panagiotis Kanavos Jul 21 '17 at 11:44

1 Answers1

3

Why do you want to implement a new solution when you already have HTTPS (HTTP+SSL). The request body is encrypted by default. You can disable weaker cipher suites and only allow higher TLS versions. You may also want to account in for client compatibility while doing this, as not all the clients will support all of the cipher suites & TLS protocol versions.

You can enforce TLS 1.2 for the clients by disabling other SSL/TLS protocol versions. It is more tighter in its implementations when compared to its pre-predecessors. You can read about it here: Major Differences from TLS 1.1

You have not mentioned whether your web api is hosted on Azure VM/Cloud Service/Azure App Service. You cannot control the TLS/SSL configuration on the server in Azure App Service.

NOTE: Enabling HTTPS or implementing encryption doesn't warranty a fool-proof solution. You should ensure that the secrets are stored securely and also as pointed out by @Panagiotis, you will also have to ensure that you are not storing any sensitive information in the server/application logs. Security is a broader concept, HTTPS addresses one of the requirements.

Community
  • 1
  • 1
Kaushal Kumar Panday
  • 2,329
  • 13
  • 22