On Thursday 20 May 2010, Royce Williams elucidated thus:
> Scott A. Johnson wrote, on 5/20/2010 8:23 AM:
>
> [snip]
>
> > My question is: is the URL
> > string of an HTTPS session encrypted along with the actual data of
> > the page? Or is the URL sent plain text before SSL is established,
> > and therefore someone could get my username and password just by
> > the URL regardless of HTTPS/SSL? What about server logs or client
> > side history - wouldn't the goodies be cached and/or retained in
> > these areas?
>
> The encryption is set up before the URL is transmitted. The 'https'
> URI scheme name just tells the browser "Hey, set up SSL to
> example.net before doing the HTTP." So you're OK "in flight", as it
> were.
>
> The server logs and client history would probably contain the
> results.
The other danger is if a secure web site using this method links to an
off-site page. The referrer will contain your user and pass. This is
really worrying as this is a security "hole" that I remember hearing
talked about *YEARS* ago. It's really sad to see the AK IT department
using something like this.
j
-- Joshua Kugler Part-Time System Admin/Programmer http://www.eeinternet.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Thu May 20 08:35:35 2010
This archive was generated by hypermail 2.1.8 : Thu May 20 2010 - 08:35:35 AKDT