Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
428 views
in Technique[技术] by (71.8m points)

authentication - Are security concerns sending a password using a GET request over https valid?

We have webpage which uses the -framework to build a . The communication between the browser and the server uses . The interaction to log into the page is the following:

  1. The user opens the website by entering https://myserver.com in the browser
  2. A login dialogue with two form fields for unsername and password is shown.
  3. After entering username and password and pressing the login-button
  4. an ajax-request is send using GET to the URL: https://myusername:[email protected]/foo/bar/metadata

According to my understanding using GET to send sensitive data is never a good idea. But this answer to HTTPS is the url string secure says the following

HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
man-in-the-middle attacks in the same way that any HTTPS data is.

An in another answer in the same thread:

These fields [for example form field, query strings] are stripped off
of the URL when creating the routing information in the https packaging 
process by the browser and are included in the encrypted data block.

The page data (form, text, and query string) are passed in the
encrypted block after the encryption methods are determined and the
handshake completes.

But it seems that there still might be security concerns using :

Is this the case for URLs like?

    https://myusername:[email protected]/foo/bar/metadata
    // or 
    https://myserver.com/?user=myUsername&pass=MyPasswort

Additional questions on this topic:

On security.stackexchange are additional informations:

But in my opinion a few aspects are still not answered

Question

In my opinion the mentioned points are valid objections to not use get. Is the case; is using get for sending passwords a bad idea?

Are these the attack options, are there more?

  • browser history
  • server logs (assuming that the url is stored in the logs unencrypted or encrypted)
  • referer information (if this is really the case)

Which attack options do exist when sending sensitive data (password) over https using get?

Thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.

Apart from that you better ask that kind of questions at security.stackexchange.com.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...