-1

Possible Duplicate:
Types of HTTP authentication and how to design a secure database?

I have an iphone application which exchanges XML data with my server.

The first time a user runs the application , the application connects to an URL and requests a user id.

I used HTTP Basic Authentication for this thing , but with a simple web debugger(sniffer) i was able to see all the XML forms sent/received to/from my server and also the url where the user id is issued.

So what can i do to hide all this data and not be so visible with a debugger? Some people suggested to use https (http over ssl) but i see millions of sites/applications that use http for these things. Am i missing something here? What could i do to have this kind of security?

All i want is to avoid someone making a script and flood my database with trash , as everything (URLS , forms of XML files) are visible.

Community
  • 1
  • 1
donparalias
  • 1,834
  • 16
  • 37
  • 60
  • The question this time was what else i could use EXCEPT https – donparalias Jan 21 '13 at 01:50
  • but the answer you accepted was to USE HTTPS? so what's up with that? –  Jan 21 '13 at 01:54
  • I guess it was the best answer , in the way i asked my question. Thats why i changed the way i asked the question here. Anyway man , i wont argue with u all day about my posts its completely ridiculous.. Thank you for downvoting/flagging everything i asked , you are the man! ;) – donparalias Jan 21 '13 at 01:58

1 Answers1

5

HTTPS is what you want to use. If you don't use HTTPS, you are susceptible to attack.

Just because millions of sites are insecure doesn't mean you want yours to be. It is also common for sites to use HTTPS initially, and then HTTP from there. Again though, if you truly want to be protected, use HTTPS.

Finally, HTTPS won't protect you from someone flooding your database with trash. For that, you need good authentication, and rate limit what someone can do from a particular account.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • Agreed. If the HTTP of the website supports it, you can use encryption of the website too. Some HTTP services support hashing. – Taicho Jan 21 '13 at 01:12
  • what do you mean "good authentication" ? i know Http basic and Http over SSL authentication. – donparalias Jan 21 '13 at 01:13
  • Also what do you mean that millions of sites are insecure? Does facebook for example use https? I dont think so. However i am not able to see anything exchanged between my browser and the page. So what is this all about? – donparalias Jan 21 '13 at 01:17
  • Basic authentication is fine (over a secure channel). Just make sure that you are locking users down to one session (if appropriate) and not allowing a few thousand connections from different network addresses for the same account at the same time. And yes, there are plenty of sites out there that are insecure. Facebook does use HTTPS, but I believe it is optional. It is possible to securely pass credentials without HTTPS. See this question: http://stackoverflow.com/a/1364697/362536 – Brad Jan 21 '13 at 01:20
  • Ok. The basic problem for me is how to give my users their user id. The first time the application starts , the application simply "hits" one of my servers "URLS" and get the user id. However , this is visible through a debugger , so anyone can make a script to hit this URL a million times and create a million accounts. HTTPS would help me on that too? – donparalias Jan 21 '13 at 01:26
  • @donparalias, HTTPS makes it hard for folks to discover your URL to create accounts, but it is still possible to get around that. You need to write your scripts in such a way that someone can't hit your URL a million times to create a million accounts. Throttle requests. Check your logs regularly. While many users can share a same network address, there are reasonable limits you can set. You can also have your application sign requests, so that someone would have to get the key to create requests to your web services. This isn't invincible, but goes a long way. – Brad Jan 21 '13 at 01:31
  • well it seems then HTTPS is the way to go.. BUT do i need to have a dedicated server to use that? Its kind of an expensive solution – donparalias Jan 21 '13 at 01:37
  • dedicated ip, not server; and please don't ask the same question twice. –  Jan 21 '13 at 01:47
  • @donparalias, I'm willing to bet that dealing with information going plaintext over the wire will cost you far more than the $100/yr. a cert does. – Brad Jan 21 '13 at 02:18
  • you are very right @Brad. I just thought i needed a dedicated server for that which would cost 130$/month. – donparalias Jan 21 '13 at 02:47
  • @donparalias, You will need your own IP address. If you are on shared hosting and that is not available to you, a VPS will suffice, and they are as cheap as $10/mo. – Brad Jan 21 '13 at 03:38
  • how we can say https is secure and attacker can not break it. – Monojit Sarkar Jun 22 '17 at 14:16
  • @MonojitSarkar Properly implemented HTTPS over TLS hasn't been broken. Plenty of stuff around it has, and there are a ton of systems not using best practices. There are also people with certificates installed on their systems, allowing eavesdropping without their knowledge. – Brad Jun 22 '17 at 16:43
  • what u said....when people bind certificate then also eavesdropping is possible? – Monojit Sarkar Jun 23 '17 at 09:53
  • without https / certificate can we secure data transmission means data will be encrypted and secure so no middle man understand the data if they capture. – Monojit Sarkar Jun 23 '17 at 09:54