I am developing a web service that clients connect to in order to get some private data. Each client has a unique identifier and a secret key (generated by the server), which is sent as parameters of the web service for authentication. In addition, all communications are done via HTTPS.
I also plan to use the HMAC-SHA256 to avoid sending the private key over the wire.
However, I wonder if this is strict. Since HTTPS gives me a secure channel between the client and server, why do I really want to send a secret key on this channel?
The only reason I was able to find this is because an unknown developer can add a service in the future and not refuse non-HTTPS connections, so hashing a private key is a kind of insurance against the realities of enterprise software development, if you want .
Did I miss something more important? Is this a real vulnerability that any attack vector can exploit?
Elad source
share