GET vs. POST, more browser security questions
david nicol
whatever at davidnicol.com
Fri Jun 7 01:04:09 CDT 2002
The difference is whether data appears in the URL or not. That is
the whole difference. SSL protects from sniffers, and protects
both. The thing that POST prevents is compromise due to acquisition
of the cached URLs list. Many versions of netscape allow a javascript
program to obtain your about:cache page in its entirety. Any sensitive
data appended to a https URL, for instance
https://bo.gu.s/cgi/ringup?CC=1234.5678.9871.234&SC=JSHFGIWM
is going to be listed as such inthe cache.
POST data does not appear in this list.
SSL is what is stopping the owner of the router from logging the
traffic.
POST is merely putting the data somewhere besides appending it to the
URL.
jd0g wrote:
>
> Hello,
> Is it more secure to send parameters to a web server in a POST HTTPS
> request or a GET HTTPS request? The W3C says that a POST request is
> slightly more secure ( I think, see
> http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q12 )For example, if I look
> at the lines in my Apache access.log file for a GET request I can see every
> HTTP parameter after the '?' unlike a POST request where I just see the base
> URL. Are HTTPS headers SSL encrypted along with the document being
> transmitted? Now when my web browser makes a GET request to my favorite
> e-commerce web site is it possible that a router or someone with a 'sniffer'
> somewhere can pickup that URL and see the key-value parameters and if the
> programmers aren't careful could embed sensitive information in the URL?
> What is stopping the owner of the router from logging the URL requests that
> travel through it?
>
> j
>
--
Mad, adj.:
Affected with a high degree of intellectual independence
-- Ambrose Bierce, "The Devil's Dictionary"
More information about the Kclug
mailing list