80:483 - GET and POST security
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Oct 4 13:47:33 UTC 2007
On Wed, Oct 03, 2007 at 08:57:05PM -0400, Dave Mason wrote:
> No, if you are accessing URL http://foo.bar/blat/babble?zot&zoot
> everything after domain name, i.e. everything after the 3rd / is part of
> the content, and the domain name in only visible in the IP headers as an
> IP address. So, if you instead use https, since everything in the
> contents is encrypted, the only accessible information on or in the
> packets is the origin and destination IP addresses.
>
> So there is no difference in security between GET and POST.
>
> To see this, you can replicate the above browser request by:
>
> telnet foo.bar 80
> GET /blat/babble?zot&zoot HTTP/1.0
>
> (note 2 newlines after the GET line, because since you included the
> HTTP/1.0 you are allowed to send headers, and you need a blank line to
> show the end of the headers). The GET line and the headers are content.
> Similarly:
>
> telnet foo.bar 80
> POST /blat/babble HTTP/1.0
>
> various magic to encode (not encrypt) zot & zoot
>
> Here the POST line, headers and the encoding for zot and zoot are all content.
Hmm, I think you are right. Just because it looks that way in the
browser doesn't mean it is part of the same request.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list