HTTPS – is URL string itself secure??

So yes. The data contained in the URL query on an HTTPS connection is
encrypted. However it is very poor practice to include such sensitive
data as a password in the a ‘GET’ request. While it cannot be
intercepted, the data would be logged in plaintext serverlogs on the
receiving HTTPS server, and quite possibly also in browser history. It
is probably also available to browser plugins and possibly even other
applications on the client computer. At most an HTTPS URL could be
reasonably allowed to include a session ID or similar non-reusable
variable. It should NEVER contain static authentication tokens.

Been wondering this myself for a while, and had been too lazy to look it up until now. Interesting, a number a google services API do exactly this. I hope they eventually move away from it, because once a google account falls, the others fall very quickly.

But then again, AuthSub is deprecated, and OAuth is ridiculously overcomplicated.


One thought on “HTTPS – is URL string itself secure??

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s