1

any request is made via HTTPS and the token is transmitted the following ways:

a) GET https://foo.dom/foobar?auth_token=abcxyz

b) GET https://foo.dom/foobar with HTTP-header like X-FOOBAR-TOKEN: abcxyz

As I understand SSL, in case of an HTTP request the client first negotiates the SSL connection and does only transmit additional parameters and/or HTTP headers in case the secure connection was established successfully.

Am I right so far?

Thx fur any suggestion. Felix

GeorgieF
  • 2,687
  • 5
  • 29
  • 43
  • If you're going to base your entire security on the presence of SSL, then please make sure you cant 'talk' the web server into serving it cleartext. – Marcin Oct 20 '11 at 15:15
  • Of course, in my case ssl_requirement does this for me. – GeorgieF Oct 21 '11 at 21:49

1 Answers1

2

SSL buys you encryption of the transport so no one can snag the auth token while it is being sent/to from the site. There are some man-in-the-middle attacks that can be performed against SSL but generally SSL should protect the token content.

What makes or breaks the security is whether or not the Token it-self is cryptographically secure. If that can be said to be true then your are golden. Check out this site http://web.mit.edu/kerberos/dialogue.html.

There are plenty of other sites that use secrue tokens for auth, see: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html.

Shawn Bower
  • 1,147
  • 1
  • 11
  • 18