[thelist] More on SSL querystring encryption

[Luther, Ron]

Hi Gang,


Someone (Scott maybe?) was asking about whether the querystring 'GET'
variables were encrypted when using SSL.

The predominant response here was "yep".

However, I just read in the O'Reilly 'Web Security & Commerce' book last
night ... that if a user is on an SSL site --- let's say doing a banking
wire transfer with account numbers and passwords coded into the querystring
--- [not that any of us would do that!] --- and then they pull down their
'favorites' menu and opt out to your (non-SSL) web page {without pushing
your 'logout' button} ... that the refer link logged on your website will
contain their UNENCRYPTED prior link --- querystring and account numbers
included!

Whoa!

Now ... this is an older book (June '97) ... so maybe things have changed
... but if they haven't, this would definitely be something to think about.

{Crossing his fingers that this is useful 'security' information [I'm
reading the book because I realize how little I know about this area.] and
not an old dead horse that has long since been carted away....}

Ron L.