0

Let's say I connect a safe server example.com.

In which case(s) can a malicious router in the middle of the route (or my ISP) see secret?

?

I think it's true for 1), 3), but I'm unsure about 2).

I'm unsure because I've read that it's not best practice to pass such information via GET (even if HTTPS), but on the other hand, for many APIs, we have to pass auth tokens or api_key via GET requests: https://apiexample.com/endpoint3?api_key=SQKDJHQJSD&action=do123.

Basj
  • 951
  • 2
  • 8
  • 16
  • There's no difference between `GET` and `POST`. It's the TLS that protects the data. And the path is part of the data, whereas the hostname is revealed through SNI. – Esa Jokinen Apr 24 '20 at 11:50
  • Thank you for this information @EsaJokinen. As URL query parameters are "displayed" in GET, I thought POST was different (because the data is not displayed in a browser). But in fact now I realize that displayed or not, this does not change anything about the internals: request header and body. – Basj Apr 24 '20 at 11:54

1 Answers1

1

As long as the traffic is not protected (i.e. only plain HTTP is used and not HTTPS) a device in the path of the connection (like a malicious router) could in theory read and also modify the data without notice. This includes URL, URL parameter, POST body etc. Of course, the actual capabilities of the devices vary.

If the traffic is protected with HTTPS the body of the request and also the request header including path and URL parameters are protected against sniffing. Domain is part of the TLS handshake but is at least protected against modification too.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424