I am trying to encrypt and then decrypt my URL in the way that end user doesn't understand what parameters I am getting in the URL for security purpose
Let's try to clarify that goal a bit. Do you want that encryption to be done by the client, presumably a browser, so that the request sent from the client will contain encrypted parameters?
And also: why do you want to do that? Just saying "for security purpose" isn't very helpful -- security features should be directed against specific threats. What threats are you concerned about?
Additionally, security must come from the server. If you do not want to expose id values and such in the UI, then they should be encrypted before being sent to the client, which can use them to send them back in URLs in already-encrypted form. There's little to be gained from encrypting path parameters or request parameter names.
If anyone can type a URL into their browser and do something on your system that they are not supposed to, the security problem is on the server and not in the URLs or in the client code.
For example, let's say I type in something like: http://your.system.com/users/213456?command=delete
And let's say this is the URL to tell the system to delete user 213456. Regardless of whether 213456 is an encrypted value or not, if the system lets me do this if I do not have permissions to do so, then your server-side code has insufficient security.
Security should not be through obfuscation, but through thorough authentication and authorization checking. Note: authentication and authorization are not the same thing.
You are right security must be applied to server side but I have another scenario as well. I have written a program 5 years ago and the options sets to display contents e.g. http://my.mywebsite.com?option=1 //2,3,4,5
option=1 is displaying news, option=2 displaying buy, option=3 displaying sells leads and so on and so forth.
Farakh khan wrote:You are right security must be applied to server side but I have another scenario as well. I have written a program 5 years ago and the options sets to display contents e.g. http://my.mywebsite.com?option=1 //2,3,4,5
option=1 is displaying news, option=2 displaying buy, option=3 displaying sells leads and so on and so forth.
And so? What's the security threat involved with somebody knowing that?
1. It seems to me odd
2. Security threat I was talking for another website that is accepting payments on a website. I am passing contact info of the customer with card credentials to the bank gateway.
Farakh khan wrote:2. Security threat I was talking for another website that is accepting payments on a website. I am passing contact info of the customer with card credentials to the bank gateway.
Now that's a better example. The way you encrypt that data is to use SSL, i.e. to use an https: URL instead of an http: URL. Under no circumstances should you try to write your own code to encrypt it, because your code won't be secure.
1) Is URL encryption and decryption will not help in this case?
2) https auto encrypt and decrypt. The question is why I can not encrypt or decrypt it manually
Farakh khan wrote:2) https auto encrypt and decrypt. The question is why I can not encrypt or decrypt it manually
Because your encryption won't be secure. SSL was designed by people who are competent cryptographers, so there's a reasonable chance it won't be broken. But you aren't a competent cryptographer so your encryption would easily be broken.
Paul Clapham wrote:But you aren't a competent cryptographer...
... so let's suppose you decided to put in the time to become a competent cryptographer. Once you do that, your question is going to be "So why should I reinvent SSL anyway?" There are possible reasons for that, including being able to write a PhD thesis on a topic in cryptography for example, but none of those reasons apply to your bank's need to keep your credit card number secure.
All that, of course, should be suffixed by "... as far as I know" because I'm not a competent cryptographer either.
Post by:autobot
If you look closely at this tiny ad, you will see five bicycles and a naked woman:
a bit of art, as a gift, that will fit in a stocking