Is a Querystring encrypted when using HTTPS?

Synopsis: This is really the wrong question.  The question should be “Is an encrypted Querystring secure?”

In a recent systems integration conference call, a third-party consultant wanted his application to pass us user credentials via Querystring arguments using SSL.  I commented that I usually don’t recommend doing this, and would prefer a POST to a GET, if possible, as it would be more secure.  I did not press the issue too firmly as it wasn’t my data, after all.

However, as a result of the call, I received a rather pointed email that roughly translated to: “You’re a Developer, you should know that Querystring arguments are encrypted when using SSL”.

I thought about the email for a minute…and had to agree that Querystring arguments get encrypted when using SSL (I never meant to suggest otherwise).  The SSL handshake and connection occur prior to any data being sent across the wire.

However, a SSL POST is still more secure than a SSL GET.  So, for the record, I figured I would put down my thoughts here (so I will remember the specifics the next time this comes up).

It comes down to this:

Querystring arguments are safely encrypted between the browser and server.  However, they are not encrypted on either end after transmission. Because full URLs (including the Querystring) are stored in lots of places, Querystring arguments are stored/visible in plain text in lots of places.

Querystrings get stored in

  • Browser History caches
  • Bookmarks
  • Referrer headers
  • Browser Address bar (let’s not forget the end-user!)
  • Web Server logs

Querstrings are accessible via

  • Browser plugins
  • JavaScript

This is not an exhaustive list of GET insecurities, but certainly provides enough reason to use a POST instead of a GET when you are worried about security

To bring this story to a conclusion: Ironically, I never did get a POST.  Instead, I got a single Querystring argument that was encrypted on their server before the URL was sent to the browser.  Go figure.

Advertisements

, , , , , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: