I am actually trying to send SMS using CDYNE and their API. To do that, I am using Java and HttpGet and HttpClient object (Httpcore and HttpClient libs). I am sending the request to an https URL, sending the parameters like https://www.example.com/SecureREST/SimpleSMSsend?PhoneNumber=ABC&Message=XYZ
Would it be a security issue that I am using a GET request and that all parameters are in the URL it self? What if the content of the Message parameter in the URL contains sensitive informations? Could someone sniff the network to get hold of the content or is is safe since the request is sent using HTTPS?
My believe is that only the www.example.com is visible during the handshake process and that once this is done, everything is encrypted but I just want to make sure.
Wikipedia is pretty clear about this:
Note that when a client sends an HTTPS request, the hostname and port of the URL are unencrypted... However, all other parts of the HTTPS request, including the URL path and query parameters, can only be decrypted by the destination site or by an interposing intermediary that terminates the HTTPS connection on behalf of the site.
So your belief is right. Only the hostname and port are openly visible; the rest of the URL is encrypted.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With