80:483 - GET and POST security
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Oct 4 13:49:12 UTC 2007
On Wed, Oct 03, 2007 at 06:41:40PM -0700, Tyler Aviss wrote:
> It is generally a "best practice" to avoid sending any sensitive
> information in the URL (GET) even with https.
>
> Reason.
>
> http://www.somesite.com?username=foo&password=bar
>
> Guess what happens when somebody checks your "history" in the browser,
> or perhaps the history file on the PC. Yup, it's right there in
> plaintext in the URL. It does require access to the machine (or an
> exploit allowing access to the history), but it's still a safer plan
> to use POST requests if possible.
That is NOT the protocols fault. That would be a flaw in the browser
design.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list