[thelist] Security of Post vs Get

Paul Cowan evolt at funkwit.com
Wed Aug 25 01:25:14 CDT 2004


On 25/08/2004 9:41 AM +1000 Ken Schaefer wrote:
> When using HTTPS the actual URI requested is *not* encrypted. This is
> passed as plain text to the server. Everything else is encrypted,
> included all other HTTP headers (which in turn includes the POSTed
> data).

I'm not sure I'm interpreting this correctly, but if Ken's saying what I 
think he's saying, then it's not correct.

If a web client requests a file from a web server over SSL, everything is 
encrypted. The encryption is set up at the protocol level, if you like, 
before the URL is transmitted to the server.

If someone enters https://foo.com/bar?baz=whatever in their browser:
* the browser connects to foo.com on port 443 (usually)
* the browser and the server negotiate SSL security
* then and only then is the GET /bar?baz=whatever sent to the server

The /bar?baz=whatever is never transmitted in plain text (though in 
basically all browsers, the string will be visible over someone's shoulder 
in the URL bar etc -- that is the primary security disadvantage of GET vs 
POST).

Cheers,

Paul.


More information about the thelist mailing list