Sending sensitive data as a query string parameter

views:

answers:

Sending sensitive data as a query string parameter

We are reviewing the design of a system. And need to verify what we think may be a security issue.

In this system some sensitive information is sent in the query string. Question is:

Can the query string parameters be read as the request goes over the internet, even if the request is sent over https?
Can the query string parameters be read be read from the browsing history on the client machines?

Yes for the first. Not sure about the second - depends on the browser, I guess - but I suspect, Yes, here as well.

Raghuram 2010-10-01 09:42:06

Why can the GET parameters be read over https?

Markus Winand 2010-10-01 09:52:04

The HTTP request (including method, path, query, headers, entity, ...) is sent on top of the SSL/TLS connection, once it's established. They're not visible.

Bruno 2010-10-01 14:34:10

+2 A:

When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).

The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.

Bruno 2010-10-01 14:32:22

ansaurus

tags:

views:

answers:

Sending sensitive data as a query string parameter

related questions