Synopsis: This is really the wrong question. The question should be “Is an encrypted Querystring secure?”
In a recent systems integration conference call, a third-party consultant wanted his application to pass us user credentials via Querystring arguments using SSL. I commented that I usually don’t recommend doing this, and would prefer a POST to a GET, if possible, as it would be more secure. I did not press the issue too firmly as it wasn’t my data, after all.
However, as a result of the call, I received a rather pointed email that roughly translated to: “You’re a Developer, you should know that Querystring arguments are encrypted when using SSL”.
I thought about the email for a minute…and had to agree that Querystring arguments get encrypted when using SSL (I never meant to suggest otherwise). The SSL handshake and connection occur prior to any data being sent across the wire.
However, a SSL POST is still more secure than a SSL GET. So, for the record, I figured I would put down my thoughts here (so I will remember the specifics the next time this comes up).
It comes down to this:
Querystring arguments are safely encrypted between the browser and server. However, they are not encrypted on either end after transmission. Because full URLs (including the Querystring) are stored in lots of places, Querystring arguments are stored/visible in plain text in lots of places.
Querystrings get stored in
- Browser History caches
- Referrer headers
- Browser Address bar (let’s not forget the end-user!)
- Web Server logs
Querstrings are accessible via
- Browser plugins
This is not an exhaustive list of GET insecurities, but certainly provides enough reason to use a POST instead of a GET when you are worried about security
To bring this story to a conclusion: Ironically, I never did get a POST. Instead, I got a single Querystring argument that was encrypted on their server before the URL was sent to the browser. Go figure.