Encrypting HTTP Query String

Discussions

Web tier: servlets, JSP, Web frameworks: Encrypting HTTP Query String

  1. Encrypting HTTP Query String (8 messages)

    I am interested to know if anyone has secured the http query string by encrypting it. Any pointers and suggestions are highly appreciated. Thanks.

    Threaded Messages (8)

  2. HTTP POST, HTTP GET[ Go to top ]

    Can you use POST the data in a form?

    (instead of HTTP GET)
  3. HTTP POST, HTTP GET[ Go to top ]

    Just a thought - if you absolutely have to GET then perhaps you could use real encryption and put the RSA private key in the session? Or maybe you could use the Vernum cypher as a "munition-free" approach...

    But Sean is right, POST is better (it also stops the bookmarking of URLs).
  4. HTTP POST, HTTP GET[ Go to top ]

    I've experienced that the screens transition with HTTP POST was not smooth. There was something flased for fraction of a second before the next screen was rendered. Have you experienced the same thing? Thanks.
  5. HTTP POST, HTTP GET[ Go to top ]

    Not sure why it would specifically affect POST, but I believe you can regulate page flashing by controlling when the response is flushed.
  6. Encrypting HTTP Query String[ Go to top ]

    We've encrypted data within a query string using public key encryption together with base 64 encoding. The encryption and decryption, and handling of the public / private keys was application specific.

    I don't see how you could successfully enrypt the entire query string in this fashion as the result is not really a query string anymore (and therefore doesn't comply with the HTTP spec).
  7. Encrypting HTTP Query String[ Go to top ]

    You are right, I didn't mean encrypting the entire query string, instead the data in the query string. Could you please share a bit more about your implementation and point me to some API references? Thanks for your help!
  8. Encrypting HTTP Query String[ Go to top ]

    I'm not sure if our model is exactly what you require. We're just using a digital signature to verify a particular HTTP request came from a trusted source.

    We generate a public and private key pair (the algorithm you choose will depend on what's supported by your JRE).

    Have a look at the following classes for more information on working with public / private keys using digital signatures:

    java.security.KeyPair
    java.security.KeyPairGenerator
    java.security.PrivateKey
    java.security.PublicKey
    java.security.Signature

    If you actually want to encrypt, and decrypt, data then have a look at the javax.crypto package. We don't do this but I think it's similar to the digital signatures.

    Our digital signature is encoded into the query string using base 64 encoding.
    We use sun.misc.BASE64Decoder and sun.misc.BASE64Encoder to do the base 64 encoding, although the use of these internal Sun classes is frowned upon!
  9. Try QueryCrypt - It's recently open sourced QueryCrypt from Aveda Techynology