10/25/2009

Is it safe and secure to send query string data using https / ssl URL?

When you send data using a query string, is it encrypted / hidden? 

Can anyone see my variable values when I submit with them using a web address / GET request?


I've been wondering this for a long while. And the answer is:
YES (probably).

In theory, your browser would do something like this:
  • Read in your request: https://someaddress.com/?mypassword=bugsbunny&creditcard=123412341234
  • Resolve the address to someaddress.com: 255.254.253.252
  • Connect with the web server at that IP address (port 443) using a secure handshake with SSL.
  • Transmit your encrypted request.
  • Disconnect.
If that's good enough for your purposes, you're probably okay.

For example, PayPal allows authorized users to perform searches and make credit transactions like this all the time.

The main concern, in theory, appears to be the possible use of "sniffers," programs placed along networks that can read transactions. If the transactions are not encrypted, the data can be easily read.

The best suggestion is, if you have control over the program on the receiving end (not the case with PayPal), you could:
  1. Encrypt your data on your local machine
  2. Send that data via the https / SSL connection
  3. Decrypt the data when it is received on the other end.
Don't take my word for it alone. Do you research. I can't imagine anything worse than losing your customers' trust, and having to answer to authorities for why you inadvertently exposed their personal data and financial information.

No comments :

Post a Comment