80:483 - GET and POST security

Tyler Aviss tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Thu Oct 4 21:16:19 UTC 2007


Yes, but that doesn't mean that one shouldn't be aware of such and
make allowances for it.

On 10/4/07, Lennart Sorensen <lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org> wrote:
> On Wed, Oct 03, 2007 at 06:41:40PM -0700, Tyler Aviss wrote:
> > It is generally a "best practice" to avoid sending any sensitive
> > information in the URL (GET) even with https.
> >
> > Reason.
> >
> > http://www.somesite.com?username=foo&password=bar
> >
> > Guess what happens when somebody checks your "history" in the browser,
> > or perhaps the history file on the PC. Yup, it's right there in
> > plaintext in the URL. It does require access to the machine (or an
> > exploit allowing access to the history), but it's still a safer plan
> > to use POST requests if possible.
>
> That is NOT the protocols fault.  That would be a flaw in the browser
> design.
>
> --
> Len Sorensen
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list