[thelist] Security of Post vs Get
Ken Schaefer
ken.schaefer at gmail.com
Wed Aug 25 02:27:11 CDT 2004
Paul is 100% correct. I have no idea what I was smoking when I wrote
what I did earlier. In fact, I would say that I was "confused", but in
trying to work out what I might have been confusing, I'm completely
stuck. The only thing that comes close is that URIs are typically
logged in server logs, unencrypted, so perhaps that's what I was
thinking of.
In any case, I was 100% wrong in what I wrote before - do not rely on
it whatsoever! Paul's statement is 100% correct.
Thanks for picking that up!
Cheers
Ken
On Wed, 25 Aug 2004 16:25:14 +1000, Paul Cowan <evolt at funkwit.com> wrote:
>
> On 25/08/2004 9:41 AM +1000 Ken Schaefer wrote:
> > When using HTTPS the actual URI requested is *not* encrypted. This is
> > passed as plain text to the server. Everything else is encrypted,
> > included all other HTTP headers (which in turn includes the POSTed
> > data).
>
> I'm not sure I'm interpreting this correctly, but if Ken's saying what I
> think he's saying, then it's not correct.
>
> If a web client requests a file from a web server over SSL, everything is
> encrypted. The encryption is set up at the protocol level, if you like,
> before the URL is transmitted to the server.
>
> If someone enters https://foo.com/bar?baz=whatever in their browser:
> * the browser connects to foo.com on port 443 (usually)
> * the browser and the server negotiate SSL security
> * then and only then is the GET /bar?baz=whatever sent to the server
>
> The /bar?baz=whatever is never transmitted in plain text (though in
> basically all browsers, the string will be visible over someone's shoulder
> in the URL bar etc -- that is the primary security disadvantage of GET vs
> POST).
More information about the thelist
mailing list