<img height="1" width="1" src="https://www.facebook.com/tr?id=1879927395628828&amp;ev=PageView &amp;noscript=1">

Plain HTTP, Postcards and HTTPS - Part 1

 Jun 30, 2017 3:50:01 PM |    Jason White

Screen Shot 2017-06-30 at 3.38.51 PM.png

Recent Training Feedback

After a training class I gave recently, I received some feedback from one of the participants in the form of him requesting advice. The question was “is approach X more secure than approach Y?” where:

  • The code in question is an endpoint (service, API … whatever name you prefer)
  • Approach X = submitting using content-type: application/x-www-form-urlencoded
  • Approach Y = submitting it using content-type: application/json
  • The endpoint/service takes username & password for authentication as parameters on every request and checks it

So, to be explicit the request body (POST) would look like (in approach X):

Screen Shot 2017-06-30 at 3.44.52 PM.png

vs (in approach Y)

Screen Shot 2017-06-30 at 3.45.32 PM.png

Which do you think is more secure? The answer is obvious … Neither!!! My reply was  “Are you running this service over https?” The answer … “I’m not sure.”

So, what was the feedback about my training?  I hadn’t adequately taught the importance of handling sensitive data in transit or the dangers of a ‘Man in the Middle’. So, here is my penance … I’ll try again and you get it for free!

Topics: Application Security

Want more of the AsTech Blog? You got it.
Blog subscribers get email updates twice a week.

Comments