[Cogito]

This was exactly what I thought as well.

Using an HTTPS connection is all well and good, but it is not enough. HTTPS is susceptible to man in the middle attacks [1], and securing the params with a pre-shared secret key is essential.

The extra cost in 'complexity' is really far outweighed by the (warranted) extra security.

[1] http://www.thoughtcrime.org/software/sslstrip/

[asharp]

Would you mind elaborating?

ssltrip requires a valid root ca, or an ssl library that doesn't check the signing chain. After using it though, the parameters are unencrypted and so can simply be sniffed.

Are you attempting to reencrypt the parameters with another key? If so then why run that through https?

[Aqua_Geek]

> Are you attempting to reencrypt the parameters with another key? If so then why run that through https?

I think they are talking about generating a hash from all of the parameters in the request + a secret, pre-shared key. Doing so prevents MITM attacks from changing the parameters.

IIRC, Amazon does this (among many others).

[jbrendel]

Exactly. Have a look here for some information on how to do this: http://www.thebuzzmedia.com/designing-a-secure-rest-api-with...

[Bjoern]

This article also inspired me to lockdown my own API I designed, its really good advice. The question is only, they wanted to provide a very simple interface, what is the right trade-off security vs. developer UI?