Are security concerns sending a password using a GET request over https valid?

surfmuggle picture surfmuggle · Oct 31, 2014 · Viewed 17.3k times · Source

We have webpage which uses the -framework to build a . The communication between the browser and the server uses . The interaction to log into the page is the following:

  1. The user opens the website by entering https://myserver.com in the browser
  2. A login dialogue with two form fields for unsername and password is shown.
  3. After entering username and password and pressing the login-button
  4. an ajax-request is send using GET to the URL: https://myusername:[email protected]/foo/bar/metadata

According to my understanding using GET to send sensitive data is never a good idea. But this answer to HTTPS is the url string secure says the following

HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
man-in-the-middle attacks in the same way that any HTTPS data is.

An in another answer in the same thread:

These fields [for example form field, query strings] are stripped off
of the URL when creating the routing information in the https packaging 
process by the browser and are included in the encrypted data block.

The page data (form, text, and query string) are passed in the
encrypted block after the encryption methods are determined and the
handshake completes.

But it seems that there still might be security concerns using :

Is this the case for URLs like?

    https://myusername:[email protected]/foo/bar/metadata
    // or 
    https://myserver.com/?user=myUsername&pass=MyPasswort

Additional questions on this topic:

On security.stackexchange are additional informations:

But in my opinion a few aspects are still not answered

Question

In my opinion the mentioned points are valid objections to not use get. Is the case; is using get for sending passwords a bad idea?

Are these the attack options, are there more?

  • browser history
  • server logs (assuming that the url is stored in the logs unencrypted or encrypted)
  • referer information (if this is really the case)

Which attack options do exist when sending sensitive data (password) over https using get?

Thanks

Answer

Steffen Ullrich picture Steffen Ullrich · Oct 31, 2014

Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history.

Apart from that you better ask that kind of questions at security.stackexchange.com.