Scott A. Johnson wrote, on 5/20/2010 8:23 AM:
[snip]
> My question is: is the URL
> string of an HTTPS session encrypted along with the actual data of the
> page? Or is the URL sent plain text before SSL is established, and
> therefore someone could get my username and password just by the URL
> regardless of HTTPS/SSL? What about server logs or client side
> history - wouldn't the goodies be cached and/or retained in these
> areas?
The encryption is set up before the URL is transmitted. The 'https' URI
scheme name just tells the browser "Hey, set up SSL to example.net
before doing the HTTP." So you're OK "in flight", as it were.
The server logs and client history would probably contain the results.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu May 20 08:32:06 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:32:06 AKDT