[thelist] Security of Post vs Get

Ken Schaefer ken.schaefer at gmail.com
Tue Aug 24 19:15:59 CDT 2004


On Wed, 25 Aug 2004 01:03:40 +0100, Richard Davey <rich at launchcode.co.uk> wrote:
> Hello Ken,
> 
> Wednesday, August 25, 2004, 12:41:38 AM, you wrote:
> 
> KS> I disagree. Hershel mentioned that this is a "secure" site. Presumably
> KS> this means that the site is secured using a server certificate and
> KS> served over HTTPS
> 
> It depends on what actually needs to be secure in this instance. If
> it's the transmission of the data from snooping, then yes POST will be
> better. If it's the actual data itself, then it's totally irrelevant

Using certificates to identify the machine or user and encrypt data
transmission is "protecting data" as well. I think you mean
"protecting data from the end user", whereas I was talking about
"protecting data from a 3rd party"

There is no way you can protect data from the end user /if/ you are
sending the data to a machine that the end user controls completely.

> if he uses GET or POST as all values will still be visible to the end
> user anyway. 

Well GET/POST are ways of sending data from the user to the server, so
I don't see how GET/POST have any bearing on protecting the data from
the user - it's the user (or the user's computer) that is generating
the data to send to the server. Why would the HTTP verb used to
transmit data from the client machine to the server have anything to
do with securing the data on the user's machine?

Cheers
Ken


More information about the thelist mailing list