s0c0 Posted August 7, 2007 Share Posted August 7, 2007 I've read that using POST is not any more secure than using a GET in your xmlhttprequest object. My company has recently deployed a point of sale system for our CSRs that is heavy on ajax and uses only GET requests. At this point all the traffic is inside our network, but there is still a bit of security concern there that I would like to address immediately, further more at some point in the near future this will be opened up to contractors and other companies to sell our products. I am worried about these get requests sending peoples credit card information across the web. If I were to implement POST over HTTPS would the data contained inside the POST be encrypted by SSL, is this correct? And it would not matter if we were sending GETs over SSL since someone listening in could still view the url string, correct? Please advise. Quote Link to comment Share on other sites More sharing options...
448191 Posted August 7, 2007 Share Posted August 7, 2007 The way I understand, an encrypted connection between client and server is established before the query is sent. Meaning the query (thus GET data) is encrypted, and not viewable. From wikipedia: TLS Handshake in Detail The TLS protocol exchanges records that encapsulate the data to be exchanged. Each record can be compressed, padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has a content type field that specifies the record, a length field, and a TLS version field. When the connection starts, the record encapsulates another protocol, the handshake protocol, which has content type 22. A simple connection example follows: ..................<snip> * Finally, the Server sends a ChangeCipherSpec and its encrypted Finished message, and the Client performs the same decryption and verification. * At this point, the "handshake" is complete and the Application protocol is enabled, with content type of 23. Application messages exchanged between Client and Server will be encrypted. The application protocol is HTTP, at least in the case of HTTPS. So TLS/SSL is between TCP and HTTP, and after there is a secure connection, the client can send a HTTP request query. So no HTTP data is ever sent unencrypted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.