On 25/08/2004 9:41 AM +1000 Ken Schaefer wrote: > When using HTTPS the actual URI requested is *not* encrypted. This is > passed as plain text to the server. Everything else is encrypted, > included all other HTTP headers (which in turn includes the POSTed > data). I'm not sure I'm interpreting this correctly, but if Ken's saying what I think he's saying, then it's not correct. If a web client requests a file from a web server over SSL, everything is encrypted. The encryption is set up at the protocol level, if you like, before the URL is transmitted to the server. If someone enters https://foo.com/bar?baz=whatever in their browser: * the browser connects to foo.com on port 443 (usually) * the browser and the server negotiate SSL security * then and only then is the GET /bar?baz=whatever sent to the server The /bar?baz=whatever is never transmitted in plain text (though in basically all browsers, the string will be visible over someone's shoulder in the URL bar etc -- that is the primary security disadvantage of GET vs POST). Cheers, Paul.