I noticed something the other day when logging into the State's
"MyAlaska" service, which seems to be a portal the State is using to
bring more and more state services online such as applying for a PFD.
Anyhoo, in the static URL/query string are my username and password!
For example, the URL I received was
If anyone wants to reproduce this, just substitute USERNAMEHERE and
PASSWORDHERE with the appropriate values. My question is: is the URL
string of an HTTPS session encrypted along with the actual data of the
page? Or is the URL sent plain text before SSL is established, and
therefore someone could get my username and password just by the URL
regardless of HTTPS/SSL? What about server logs or client side
history - wouldn't the goodies be cached and/or retained in these
areas?
Other thoughts?
Scott
-- Scott A. Johnson scott.a.johnson@gmail.com --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Thu May 20 08:23:37 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:23:37 AKDT