80:483 - GET and POST security

[Tyler Aviss]

It is generally a "best practice" to avoid sending any sensitive
information in the URL (GET) even with https.

Reason.

http://www.somesite.com?username=foo&password=bar

Guess what happens when somebody checks your "history" in the browser,
or perhaps the history file on the PC. Yup, it's right there in
plaintext in the URL. It does require access to the machine (or an
exploit allowing access to the history), but it's still a safer plan
to use POST requests if possible.



On 10/3/07, Dave Mason <dmason-bqArmZWzea/GcjXNFnLQ/w at public.gmane.org> wrote:
> No, if you are accessing URL http://foo.bar/blat/babble?zot&zoot
> everything after domain name, i.e. everything after the 3rd / is part of
> the content, and the domain name in only visible in the IP headers as an
> IP address.  So, if you instead use https, since everything in the
> contents is encrypted, the only accessible information on or in the
> packets is the origin and destination IP addresses.
>
> So there is no difference in security between GET and POST.
>
> To see this, you can replicate the above browser request by:
>
>    telnet foo.bar 80
>    GET /blat/babble?zot&zoot HTTP/1.0
>
> (note 2 newlines after the GET line, because since you included the
> HTTP/1.0 you are allowed to send headers, and you need a blank line to
> show the end of the headers).  The GET line and the headers are content.
> Similarly:
>
>    telnet foo.bar 80
>    POST /blat/babble HTTP/1.0
>
>    various magic to encode (not encrypt) zot & zoot
>
> Here the POST line, headers and the encoding for zot and zoot are all content.
>
> ../Dave
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists