views:

2269

answers:

19

Is a POST secure enough to send login credentials over?

Or is an SSL connection a must?

+29  A: 

SSL is a must. POST is not more secure than GET as it’s also send unencrypted. SSL will cover the whole HTTP communication and encrypt the HTTP data send between the client and server.

Gumbo
A must? For a My Little Pony fan forum? Is a ptarmigan shielded terminal, quantum encryption and a tested leased line also required?
Martin Beckett
@mgb: Leased? You've got to be kidding me. If you don't own the copper all the way through, how can you be sure it's secure?!
Andy Mikula
Yes, because people use the same password for My Little Pony fan forum and their bank account.
erickson
ponygirl88 wanted an account and Mommy created it for her. Mommy used the same username and password that she uses for her investment account. MLP Developer forgot to require authentication over SSL. Mommy lost all the money and now ponygirl88 can't go to college. Just use SSL.
Justice
@erickson: I know that was supposed to be sarcastic, but people do use the same password for -everything-, and they have trouble remembering even that.
Andy Mikula
It wasn't sarcasm. I'm not sure why you would think it was. It's a huge problem; most programmers don't even grasp the problem, and its unreasonable for those that do to expect "normal" people to worry about it.
erickson
+5  A: 

SSL is a must :)

HTTP Post is transmitted in plain text. For an example, download and use Fiddler to watch HTTP traffic. You can easily see the entire post in there (or via a network traffic monitor like WireShark)

Ken Pespisa
+2  A: 

No...POST is not secure enough at all. SSL is a MUST.

POST only effectively hides the parameters in the query string. Those parameters can still be picked up by anybody looking at the traffic in between the browser and the end point.

Justin Niessner
+2  A: 

It is not secure. A POST can be sniffed just as easily as a GET.

driis
+8  A: 

That depends on your circumstances, how much would the interception of the credentials cost somebody?

If it's just a login to a software Q+A site then SSL might not be necessary, if it's an online banking site or you store credit card data then it is.
This is a business not a techncial decision.

Martin Beckett
downvoted because people reuse passwords.
Malfist
Malfist: People reuse passwords all the time, but if you intercept a random password, do you know where else to use it?
TheTXI
if you are listening to traffic to grab credentials you can see any site the user visits. SSL does not hide the address, just the data
Jim
Fair point Malfist - but, "you MUST do X" answers where X is SSL, unit testing, backups, RAD etc without questioning the cost/benefit are almost always the wrong answer.In this case gumbo was correct to point out to the OP that POST is no more secure than GET.
Martin Beckett
+1  A: 

POST is plaintext.

A secure connection is a must.

That's why it's called a secure connection.

Justice
A: 

A POST request alone is not secure because all the data is "traveling" in plain text.

You need SSL, to make it secure.

rogeriopvl
+1  A: 

About as secure as snail-mailing someone's credentials on on a postcard.

JohnFx
+1  A: 

No, use SSL.

With POST the values are still submitted as plain text unless SSL is used.

Dana Holt
A: 

POST data is sent in plain text if you are using an unencrypted HTTP connection. IF this is secure enough depends on your usage (hint: it's not).

If both the server, the client machine and ALL MACHINES BETWEEN THEM are part of a controlled, fully trusted network, this may be ok.

Outside of these very limited circumstances (and sometimes even within them) plain text authentication is asking for trouble.

A: 

The only difference between HTTP GET and HTTP POST is the manner in which the data is encoded. In both cases it is sent as plain-text.

In order to provide any sort of security for login credentials, HTTPS is a must.

You do not need an expensive certificate to provide HTTPS either. There are many providers that will issue very basic certificates for about $20USD. The more expensive ones include identity verification which is more of a concern for e-commerce sites.

tadman
A: 

Depends on where you are using it and how secure you really need.

There is no way for someone to get the POST data you send from your home unless you are using a proxy (TOR) or someone is tapping your wires.

However, if you are concerned that someone will login using a wireless unsecured network, than ssl is important.

If you are a bank, you can't even take that risk. If you are a techer with logins to see assignments, then you should be fine

SamGoody
Sorry for -1, but how could it be "no way for someone" to see the data between home and a server?
ilya n.
Please explain. This post is being made to SO from my home computer. Even assuming that you - Ilya - knew my (and SO's) IP addresses, you would still not able to intercept the data I have posted to SO. You cannot know whats there unless you can intercept it. [And often, when you can intercept it, a SSL connection won't help.] If you believe this to be in error, prove it.
SamGoody
+2  A: 

HTTP POST is not encrypted, it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customised logging level. Yes, POST is better than GET because POST data is not usualy logged by a proxy or server, but it is not secure. To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser (see RFC 2617). Remember that (home grown) encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg. realm) before encrypting (see RFC 2617 for how it is done in Digest Auth).

+1 for noting the differences in logging
Paul Dixon
+1  A: 

The most secure way is to not send credentials at all.

If you use Digest Authentication, then SSL is NOT a must.

(NB: I am not implying that Digest Authentication over HTTP is always more secure than using POST over HTTPS).

ykaganovich
+6  A: 

<shameless plug>I have a blog post that details what an HTTP request looks like and how a GET request compares to a POST request. For brevity's sake, GET:

GET /?page=123 HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF

and POST:

POST / HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF
CRLF
page=123

(The CRLF is just a newline)

As you can see, the only differences from the standpoint of how a request is formed* is that a POST request uses the word POST and the form data is sent in the body of the request vs the URI. Thus, using HTTP POST is security by obscurity. If you want to protect data, you should use SSL.

* Note that there are other differences.

Jason Baker
+1 For providing a visualization of why POST is no more secure.
Rob Wilkerson
A: 

I agree with mgb, I really don't know why so many people are screaming about how SSL is a must - it's absolutely important under certain circumstances, but is by no means a must. Even stack overflow doesn't use SSL - they use OpenID, but some of the websites (I just checked, and LiveJournal does not use SSL to log in) are just plain POST requests.

If you are protecting important information, you would be very irresponsible to not use SSL, but for the average use case it's just extra hassle that you don't need.

dimo414
A: 

Login credentials to who? How sensitive is it? (SSL is much better... Do you need it? Do you need more?)

elmer
A: 

Very interesting

chris
A: 

I am wondering if there is a difference between POST and GET over SSL when sending sensitive info such as UID/PW. This will be encrypted in the body when sent using a POST, but I don't believe this part of the URI will be encrypted and will be sent as plain text.

i.e., Won't something like "https://myserver.mydomain.com/login?uid=me&amp;pw=supersecretpw" be exposed in plain text on the wire, although the rest of the message will be SSL encrypted if sent as a GET?

Bill