Http Request Security

[dowlinj]

Hi,

I'm currently evaluating the cloud service in an asp.net app.

With regard to the httpcontext object that the getdeviceinfo method takes as a parameter, can you tell me:

Is the complete http request sent to the cloud?
Is this sent in plain text?
Is any of this data stored on the cloud?

I'm concerned that some customer/sensitive data could be exposed through use of the service. Is there any option to send just the user agent info if this is the case?

[kamermans]

Hi,

The HTTP headers from the request are passed to our cloud servers for evaluation in plain text. Using SSL would be an idea, but our experience is that performance suffers significantly due to the security handshaking. We store the request with some HTTP headers for quality control and for discovering new and improperly detected devices. Note that with the Premium level account, you can use memory-based caching, which will only send one sample HTTP request per unique user agent, so on a high-traffic site, the ratio of requests that are being sent to our servers could easily be 1:1000 or less.

If privacy is a serious concern, you should consider licensing our onsite, standalone product, which does not send any information back to our servers: http://www.scientiamobile.com/license

Edit
Also, please note that the following headers are explicitly discarded before logging:

COOKIE
X-FORWARDED-PROTO
X-FORWARDED-PORT
CONNECTION
CACHE-CONTROL
PRAGMA
HOST
AUTHORIZATION

[dowlinj]

Using SSL would be an idea, but our experience is that performance suffers significantly due to the security handshaking. We store the request with some HTTP headers for quality control and for discovering new and improperly detected devices.

Hi Steve,

Thanks very much for your prompt reply.

Just to clarify, if I'm dealing with a form post and the Cloud API only passes the http header, would I be correct in saying that the data from my form will not be sent in the API call? Apologies, I don't currently have access to the app to debug in Fiddler to see what's being sent across in the request. If no posted form data is included then I'm happy from a security perspective. Also, if you could clarify exactly what you store when you say "we store the request with some HTTP headers".

Also, is SSL a configurable option with the cloud solution?

Finally, does a method exist which just takes the User Agent info as an argument?

Thanks again for your help.

[kamermans]

would I be correct in saying that the data from my form will not be sent in the API call

You are correct. In the case of a form, the variables are sent in the HTTP message body or the request URI, but they do not appear in the HTTP headers.

Also, if you could clarify exactly what you store when you say "we store the request with some HTTP headers"

Yes, here is an example of what we store:

Code: Select all

"headers" : {
          "Accept-Encoding" : "gzip",
          "User-Agent" : "Dalvik/1.4.0 (Linux; U; Android 2.3.2; LT15i Build/3.0.A.2.181)",
},

In this case, the only HTTP headers stored were the Accept-Encoding and the User-Agent, because that is all this client sent. If a client sends a strange HTTP header, like X-Foo: Bar, we will log that too since it may help us to identify the device. The only headers that are never stored currently, are the ones mentioned previously.

SSL is not currently available, but this is not the first time we have had a request for it, so we may choose to implement it in the near future (we'll post back here to notify you).

With a premium account, you can create a ScientiaMobile.WurflCloud.Request.WurflCloudRequest object, set its user agent and pass that to the DeviceInfo() method for evaluation.

[dowlinj]

Thanks again Steve...