80:483 - GET and POST security
Dave Mason
dmason-bqArmZWzea/GcjXNFnLQ/w at public.gmane.org
Thu Oct 4 00:57:05 UTC 2007
No, if you are accessing URL http://foo.bar/blat/babble?zot&zoot
everything after domain name, i.e. everything after the 3rd / is part of
the content, and the domain name in only visible in the IP headers as an
IP address. So, if you instead use https, since everything in the
contents is encrypted, the only accessible information on or in the
packets is the origin and destination IP addresses.
So there is no difference in security between GET and POST.
To see this, you can replicate the above browser request by:
telnet foo.bar 80
GET /blat/babble?zot&zoot HTTP/1.0
(note 2 newlines after the GET line, because since you included the
HTTP/1.0 you are allowed to send headers, and you need a blank line to
show the end of the headers). The GET line and the headers are content.
Similarly:
telnet foo.bar 80
POST /blat/babble HTTP/1.0
various magic to encode (not encrypt) zot & zoot
Here the POST line, headers and the encoding for zot and zoot are all content.
../Dave
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list