POST and GET on SSL

Question

POST and GET on SSL

Asked 9 years, 10 months ago

Viewed 1,006 times

6

On a site, protected with SSL, are POST and GET also encrypted? The fact that GET is part of the address, even so it is encrypted?

2

This question can help.

– Papa Charlie

2014/09/01 at 03:02
1

That’s right. Thank you!

– user3809054

2014/09/01 at 03:15
1

"The fact that GET is part of the address, is it still encrypted?" At first, all is encrypted, maybe except the domain - the browser connects to the server from the IP address and the TCP port, receives a certificate, performs the handshake protocol (Handshake) of SSL/TLS and only then - with the secure socket open - performs the HTTP protocol (either with GET, POST or whatever). That is, the layer that uses encryption is below the one where the protocol happens. Everything that is "above" is therefore confidential.

– mgibsonbr

2014/09/07 at 09:33

1 answer

Browser other questions tagged post cryptography get ssl

You are not signed in. Login or sign up in order to post.

by Geilton Xavier Santos de Jesus • **576** points · Answer 1 · 2014-09-02T12:27:25+00:00

as you should already know the GET data can be viewed in the URL as a query string:

https://exemplo.com/index.html?user=admin&password=whoops

Because data is added to the URL, there is a limit to the amount of data you can transfer. Different browsers have different limits, theoretically you may have problems when data reaches between 1 KB to 2 KB.

Data POST is included in the body of the HTTP request and is not visible in the URL. As such, there is no limit to the amount of data you can transfer more than POST.

If your HTTP connection is using SSL / TLS, the parameters are also encrypted, but may appear elsewhere, such as web server logs and will theoretically be accessible to browser plugins and possibly other applications as well.

POST data are encrypted.

The information below I took from this Google discussion: http://answers.google.com/answers/threadview/id/758002.html

 Os dados contidos em URL de consulta em uma conexão HTTPS são criptografados.  
    No entanto, é uma prática não recomendada para incluir esses dados sensíveis, como uma senha em um 'GET'.  

    Enquanto ele não pode ser interceptado, os dados seriam logado serverlogs texto plano no servidor HTTPS recebimento, e possivelmente
also in the browser history. and probably will also be available for browser plugins and possibly even other applications on the client computer.

     Sempre que possivel use HTTPS POST sobre se você deseja transferir com segurança da informação.

     Se você estiver usando uma biblioteca de criptografia para criptografar os dados, em seguida, você pode usar GET ou POST, mas
 isso vai ser uma dor adicional e você não pode configurar a
 criptografia corretamente, então eu ainda recomendo usar POST através
 de HTTPS, em vez de rolar  sua própria configuração de criptografia. 
Este problema já foi resolvido, não re - inventar a roda.

Another option you might want to consider is to use a secure cookie. A cookie that has the safe flag is only sent through a secure channel, such as HTTPS, and is not sniffable. This is a good way to keep information secure, such as a session ID.