Does sending hashed password over url path parameter secure?



  • I need to create WebSocket authentication mechanism without using ticketing, so the whole authentication needs to be performed via HTTP (over SSL) GET request which is sent to upgrade connection to WebSocket (code snippet used to handle upgrade in NodeJS).

    The problem lays in GET request which is not supposed to be used in authentication (mentioned here and here). I would need to send password via path or query parameters in URL e.g. wss://example.com/username/password123 and then validate it on server side.

    My idea is to encrypt the password on client side with Argon2 (using salt) and then send it with WebSocket upgrade request (GET) over HTTPS as url path parameter to the server which will validate it with database entry. I know that this question is similar to this one, but it doesn't cover password encryption. Is that enough to say that it's a good and secure approach?

    Thanks for help.



  • Not really a direct answer, but way too long to be a comment.

    I once had to design a system where I had to securely authenticate over a plain HTTP (not HTTPS) connection using an insecure network. And I finally ended with a manual implementation of a Diffie–Hellman key exchange using asymetric crypto tools. BTW after the authentication phase, the shared secret was used to crypt and sign the packets (and the packets were of course numbered)

    The rationale is that:

    • it only used well known secure implementations (at library level) - roll you own is highly dangerous in security, because the devil hides in the details
    • no secret was ever transmitted in clear text
    • the protocol was by construction immune to replay attacks

    My conclusion was that Diffie-Helman was not used by accident in TLS...

    It is slighty more complex to implement than directly sending a secret, and only makes sense if you cannot trust an underlying TLS layer to protect the exchange, but for having implemented it, it is not that hard once you can find a nice crypto library.

    BTW, if you want to be super-safe, ephemeral Diffie-Helman allows Forward Secrecy and is easily implemented with good crypto libraries.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2