tags:

views:

338

answers:

7
+2  Q: 

How secure is a HTTP GET when the data is URL Encoded?

If the data is Url Encoded, is it secure enough to send login credentials over HTTP GET?

+15  A: 

Not at all. URL encoded is easily reversible. You should encrypt the transport layer (i.e. use HTTPS)

Randolpho  2009-06-17 17:44:25
In addition to HTTPS, you should use POST so the credentials are not stored in browser history or favorites.
Matthew Flaschen  2009-06-17 17:46:51
Yeah follow Matthew's advice don't put anything in the URL that you wouldn't want someone else to see!
Martin Dale Lyness  2009-06-17 17:47:41
ok so if it's to an https site then it should be ok?
Matt  2009-06-17 17:49:30
Use HTTPS+POST.
Matthew Flaschen  2009-06-17 18:13:17
A: 

You can't be serious... NO!

ykaganovich  2009-06-17 17:44:53
A: 

URLEncoding is for encoding/transmission, not security.

Andrew Coleson  2009-06-17 17:46:43
A: 

Not at all secure.

RC  2009-06-17 17:46:55
+1  A: 

Please read the purpose of URL encoding

The specification for URLs (RFC 1738, Dec. '94) poses a problem, in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set.

HTML, on the other hand, allows the entire range of the ISO-8859-1 (ISO-Latin) character set to be used in documents - and HTML4 expands the allowable range to include all of the Unicode character set as well. In the case of non-ISO-8859-1 characters (characters above FF hex/255 decimal in the Unicode set), they just can not be used in URLs, because there is no safe way to specify character set information in the URL content yet [RFC2396.]

URLs should be encoded everywhere in an HTML document that a URL is referenced to import an object (A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, and TR elements.)

Security is not the point here. Like already noted, HTTPS should be used when that is required.

nik  2009-06-17 17:47:07
+6  A: 

No - URL encoding is meant to make sure all the characters you try to send with a GET request can actually arrive at the other end.

It is actually designed to be easily encoded and decoded to prepare data for transport, not for security.

ylebre  2009-06-17 17:48:01
+4  A: 

URL encoding is not any kind of encryption, it just prepares the string to be sent through the network.

If your data is sensitive, GET should be completely out of question. Reasons for this?

  1. The obvious one, everyone who takes a peek at the URL bar, will see the data
  2. The data will be left in every proxy log that it passes trough
  3. If the user leaves the site, the next site will have the URL recorded in it's logs/web statistics (REFERER).
rogeriopvl  2009-06-17 17:56:44

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security