3

We are reviewing the design of a system. And need to verify what we think may be a security issue.

In this system some sensitive information is sent in the query string. Question is:

  • Can the query string parameters be read as the request goes over the internet, even if the request is sent over https?
  • Can the query string parameters be read be read from the browsing history on the client machines?
Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252
  • 1
    Also check out http://stackoverflow.com/questions/2629222/is-querystring-parameters-secure-in-https-http-ssl – Jagmag Oct 01 '10 at 09:50
  • Maybe one more issue: very often the entire query string (incl. parameters) is written to a log file; that is, it is potentially stored on the webserver without any encryption as well. – Markus Winand Oct 01 '10 at 09:54

3 Answers3

9

When you use HTTPS, the SSL/TLS connection is established before any HTTP traffic is sent, thus the whole request (including the URL and its parameters) will be encrypted and won't be readable. The only thing that's possibly visible by a third party is the server certificate (so they could see the host name, but that's it).

The browser's history isn't protected in any way by HTTPS as such, although some browsers may have some "safe browsing" options which would delete some HTTPS URLs automatically perhaps. This one ultimately really depends on the browser and its configuration.

Bruno
  • 119,590
  • 31
  • 270
  • 376
0

This is certainly a security issue if sensitive details are being passed in get request. Sensitive data will not only get cached in the user's browser but also in any proxy on d way and plus in webserver logs

Jatin
  • 1
  • 1
    They won't be in any proxy, unless in reverse proxy (after the actual target server). – Bruno Feb 13 '13 at 10:00
-1

Yes for the first. Not sure about the second - depends on the browser, I guess - but I suspect, Yes, here as well.

Raghuram
  • 51,854
  • 11
  • 110
  • 122
  • The HTTP request (including method, path, query, headers, entity, ...) is sent on top of the SSL/TLS connection, once it's established. They're not visible. – Bruno Oct 01 '10 at 14:34