[thelist] https question

Seb seb at members.evolt.org
Fri Jan 10 15:52:00 CST 2003


Just to clear this up:

Sending form data to a secure page from *any* page:

1. Client initiates HTTP connection on port 443 (or whatever is defined for
SSL over HTTP)
2. Server responds, and the encryption level is negotiated. Server sends
client certificate to client.
3. Client uses the certificate to encrypt the REQUEST, and this is then
sent to server.
4. Server uses certificate to decrypt the REQUEST, and process.
5. Server encrypts RESPONSE, and sends to client.
6. Client decrypts RESPONSE, and displays.
7. Connection is closed.

Forget querystrings and stateful connections. There is no querystring, no
form data, nothing, until *after* an HTTP connection has been successfully
negotiated and encryption is in place.

SSL means Secure Socket Layer. This means that it's the transport layer
that is encrypted, and this covers all communication backwards and forwards
after the connection has been negotiated. Sensitive data cannot be sent as
clear text in this manner.

However, there is a possibility that it's not the webserver that you're
communicating, and there could be a proxy in front of the webserver that is
handling secure requests. This would be fairly bad, but I have seen it
done. In such a case, if you sent form data on the querystring, the proxy
server might log the querystring after decrypting it, totally negating the
point of encrypting data. So, always make sure that you use POST as the
method in your forms, just in case some incompetent fools somewhere (like,
say at an ex-employer) decided that such a thing might be a good idea.

Oh, as for the length of the querystring: there doesn't seem to be a limit,
though some servers and some clients do impose limits. (Netscape Enterprise
Server 4 has a limit of 4KiB, but NS4.5 browser seems to choke on 1KiB.)
Another good reason to use POST.

- seb.




More information about the thelist mailing list