36

What is the difference when encrypting GET and POST data?

To be more specific: when https-SSL encrypts both of this methods, what is the difference in the way the browser does this; Which parts are encrypted and which are not?

I read somewhere that the destination url is not encrypted in POST, is that true? If it is true and same in GET, where are all the parameters?

When both methods are encrypted with same data, do they look the same when sniffed? What parts are encrypted and which are not?

Robotnik
  • 3,643
  • 3
  • 31
  • 49
Roar
  • 601
  • 1
  • 8
  • 13
  • Other than the fact that you have to URL Encode the encryption result for GET...I can't see anything. – Justin Niessner Jun 17 '10 at 16:22
  • @Rowland Shaw - I assumed they're encrypting the value before sending it back to the server. If they're talking about encoding, that would make a little more sense. – Justin Niessner Jun 17 '10 at 16:29
  • 4
    If you are using SSL, *everything* is encrypted. This includes the url, the querystring, the request and response headers and the data in the post body. GET and POST are both encrypted, there is no difference between them. See http://stackoverflow.com/questions/499591/are-https-urls-encrypted – Sripathi Krishnan Jun 17 '10 at 16:39

5 Answers5

66

GET data is appended to the URL as a query string:

https://example.com/index.html?user=admin&password=whoops

Because the data is appended to the URL, there is a hard limit to the amount of data you can transfer. Different browsers have different limits, but you'll start to have problems around the 1KB-2KB mark.

POST data is included in the body of the HTTP request and isn't visible in the URL. As such, there's no limit to the amount of data you can transfer over POST.

If the HTTP connection is using SSL/TLS, then GET parameters are also encrypted but can show up in other places such as the web server logs and will be accessible to browser plugins and possibly other applications as well. POST data is encrypted and does not leak in any other way.

From a Google Discussion:

The data contained in the URL query on an HTTPS connection is encrypted. However it is very poor practice to include such sensitive data as a password in the a 'GET' request. While it cannot be intercepted, the data would be logged in plaintext serverlogs on the receiving HTTPS server, and quite possibly also in browser history. It is probably also available to browser plugins and possibly even other applications on the client computer.

Always use POST over HTTPS if you want to securely transfer information.

If you're using an encryption library to encrypt the data then you can use GET or POST, but this will be an added pain and you might not setup the encryption correctly, so I'd still recommend using POST over HTTPS, rather than rolling your own encryption setup. This problem has been solved already, don't re-invent the wheel.

Another option you might want to consider is using a secure cookie. A cookie that has the secure flag set is only sent over a secure channel, such as HTTPS, and isn't sniffable. This is a good way to persist information securely, such as a session ID.

LordOfThePigs
  • 11,050
  • 7
  • 45
  • 69
Ben S
  • 68,394
  • 30
  • 171
  • 212
  • 13
    Wrong. GET requests are also encrypted, including the Query String - http://stackoverflow.com/questions/499591/are-https-urls-encrypted – Sripathi Krishnan Jun 17 '10 at 16:36
  • The DNS request will include the full URL and can be sniffed. The GET parameters will also show up in the logs. – Ben S Jun 17 '10 at 16:40
  • 9
    The DNS request will only include the domain name, and not the url parameters. Besides, even a POST request will require a DNS lookup. Logs will contain the url parameters - *but* logs are only accessible to the server, and the server can also read whatever data is posted. SSL is meant to prevent man-in-the-middle attacks, and it achieves that regardless of GET or POST. – Sripathi Krishnan Jun 17 '10 at 16:43
  • 1
    @SripathiKrishnan Most of your points were good, but your one about logs is misleading. A vulnerability that allows someone to read logs does not necessarily allow them to sniff and decrypt network traffic, or subvert the server in any other way. Additionally, if a bad guy is only in control of a server for a few minutes, if you're logs contain sensitive information, everyone is very screwed. If they don't, everyone is far less likely to be screwed. – root Aug 15 '13 at 17:48
3

The difference is that an encrypted parameter that is sent with GET verb will be visible in the address bar while the one sent with the POST verb will not (of course this doesn't mean that the user cannot see the encrypted value). Another difference is in the allowed maximum length: GET requests are limited as urls are limited in browsers. Third difference: GET requests are logged in intermediary web servers they transit (web, proxy, ...) so if you use GET over the internet your encrypted parameter will definitely be logged on many machines before it arrives to your web server.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
3

When an HTTPS GET request is made, the query string parameters ARE ENCRYPTED! The only thing that is not encrypted in an HTTPS request is the server name or IP address and port of the request. Those are the only two pieces of information necessary to route the request from your browser to the web server, which then performs the decryption.

Use Fiddler (with the SSL decryption turned off) and look at your traffic with a secure site. You'll see that you cannot view unencrypted query string data or even path information.

John Bledsoe
  • 17,142
  • 5
  • 42
  • 59
0

POST can send more data than GET

GET is easier for a malicious user to manipulate data

GET is not encrypted

POST is not encrypted

3Dave
  • 28,657
  • 18
  • 88
  • 151
Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
0

It may help if you visualize the HTTP request:

GET /page.php?get-data-here HTTP/1.1
Host: www.site.com

post-data-here

This whole thing is encrypted when you use HTTPS.

JW.
  • 50,691
  • 36
  • 115
  • 143