views:

338

answers:

7

If the data is Url Encoded, is it secure enough to send login credentials over HTTP GET?

+15  A: 

Not at all. URL encoded is easily reversible. You should encrypt the transport layer (i.e. use HTTPS)

Randolpho
In addition to HTTPS, you should use POST so the credentials are not stored in browser history or favorites.
Matthew Flaschen
Yeah follow Matthew's advice don't put anything in the URL that you wouldn't want someone else to see!
Martin Dale Lyness
ok so if it's to an https site then it should be ok?
Matt
Use HTTPS+POST.
Matthew Flaschen
A: 

You can't be serious... NO!

ykaganovich
A: 

URLEncoding is for encoding/transmission, not security.

Andrew Coleson
A: 

Not at all secure.

RC
+1  A: 

Please read the purpose of URL encoding

The specification for URLs (RFC 1738, Dec. '94) poses a problem, in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set.

HTML, on the other hand, allows the entire range of the ISO-8859-1 (ISO-Latin) character set to be used in documents - and HTML4 expands the allowable range to include all of the Unicode character set as well. In the case of non-ISO-8859-1 characters (characters above FF hex/255 decimal in the Unicode set), they just can not be used in URLs, because there is no safe way to specify character set information in the URL content yet [RFC2396.]

URLs should be encoded everywhere in an HTML document that a URL is referenced to import an object (A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, and TR elements.)

Security is not the point here. Like already noted, HTTPS should be used when that is required.

nik
+6  A: 

No - URL encoding is meant to make sure all the characters you try to send with a GET request can actually arrive at the other end.

It is actually designed to be easily encoded and decoded to prepare data for transport, not for security.

ylebre
+4  A: 

URL encoding is not any kind of encryption, it just prepares the string to be sent through the network.

If your data is sensitive, GET should be completely out of question. Reasons for this?

  1. The obvious one, everyone who takes a peek at the URL bar, will see the data
  2. The data will be left in every proxy log that it passes trough
  3. If the user leaves the site, the next site will have the URL recorded in it's logs/web statistics (REFERER).
rogeriopvl