> -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 28, 2005 11:45 AM > To: CF-Talk > Subject: RE: Security of GET vs. POST via HTTPS? > > > We've got a 3rd party API that we call via HTTPS. They want the > > data submitted via GET (i.e. URL strings) whereas its my > > understanding that POST would be more secure. Am I correct in > > my understanding or loosing my mind? > > You are incorrect, but I doubt you're losing your mind. When you make an > HTTPS request, the entire request (including the URL you're requesting) is > encrypted. So, they are equally secure. For that matter, they're equally > secure within plain old HTTP - both are perfectly readable plaintext. > However, variables within a URL are easily observed by the user of a > browser, so in that sense they are more likely to be tinkered with by the > user.
Also, when used in a browser, they are normally bookmarked with the page. This now extends security requirements to machine containing the bookmarks as well as the user. What this comes down to is the boundaries of security. SSL (HTTPS) is bounded by the user agent (browser) and the server (or security appliance). It protects only the contents of requests between these two points. The encrypted data isn't protected at all (it's flying across public lines in most cases). The network information isn't protected (somebody could snoop the lines and discover the IP addresses and possibly locations of both machines involved). Only the actual data stream is protected. In this sense, considering just HTTP and HTTPS there's, no difference between POST and GET. However when you look at the ends (set boundaries for the entire application) you can see some potential issues. Again the GET information is part of the URL so anything that logs, captures, or saves URL information (like bookmarking) will also log, capture or save that information. It's just as easy to do the same for POST data, but it's less common. The server-side has similar issues. Most servers will log URL query strings, but don't automatically log POST variables (again however, they could easily do both). So while the transmission is secure with SSL are the log files secure? Are the machines secure? You can't extend your boundaries forever but you should know where they get fuzzy at least. ;^) I find it's a useful mental exercise to role-play this kind of stuff and explore outside the boundaries of the set security... are people going to bookmark your pages? Might they use public terminals? Will they always use browsers with SSL? JavaScript? Cookies? Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:213211 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
