Comment 8 for bug 861854
Revision history for this message
| Jorge L. Williams (jorgew) wrote Re: [Bug 861854] Re: Token in URL is a security risk | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
The approach is a misuse of HTTPs uniform interface. If it's necessary for security reasons then so be it.
That said, I'm wondering if a better approach would be to simply encrypt the token in the URI for the purpose of logging. Or better yet (and I realize I'm setting the bar high here) encrypt and base64 the token before placing it in the URI. The caller's own token can be used as the shared secret for the encryption, since it will be encrypted anyway by the SSL.
We might use something like this: http://