[thelist] Security of Post vs Get
Paul Cowan
evolt at funkwit.com
Wed Aug 25 01:25:14 CDT 2004
On 25/08/2004 9:41 AM +1000 Ken Schaefer wrote:
> When using HTTPS the actual URI requested is *not* encrypted. This is
> passed as plain text to the server. Everything else is encrypted,
> included all other HTTP headers (which in turn includes the POSTed
> data).
I'm not sure I'm interpreting this correctly, but if Ken's saying what I
think he's saying, then it's not correct.
If a web client requests a file from a web server over SSL, everything is
encrypted. The encryption is set up at the protocol level, if you like,
before the URL is transmitted to the server.
If someone enters https://foo.com/bar?baz=whatever in their browser:
* the browser connects to foo.com on port 443 (usually)
* the browser and the server negotiate SSL security
* then and only then is the GET /bar?baz=whatever sent to the server
The /bar?baz=whatever is never transmitted in plain text (though in
basically all browsers, the string will be visible over someone's shoulder
in the URL bar etc -- that is the primary security disadvantage of GET vs
POST).
Cheers,
Paul.
More information about the thelist
mailing list