Why am I not surprised...
-
John Simmons / outlaw programmer wrote:
First, https has been proven to be almost as insecure as plain text.
Did I say https wrong? Should I have said TLS? or whatever the current standard is? So I guess you don't buy anything online, right? :laugh: Also, I believe querystrings are encrypted via HTTPS. If you set up HTTPS properly, everything between browser and server are encrypted: Here's just one of many answers you get when you google that: ssl - Is an HTTPS query string secure? - Stack Overflow[^] Here's a quote from the top answer that is returned:
google knows quote:
remember, SSL/TLS operates at the Transport Layer, so all the crypto goo happens under the application-layer HTTP stuff. The entire transmission, including the query string, the whole URL, and even the type of request (GET, POST, etc.) is encrypted when using HTTPS
This query string isn't encrypted: https://www.codeproject.com/script/Forums/Edit.aspx?fid=1159&select=5451820&floc=/Lounge.aspx&action=r
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
raddevus wrote:
Also, I believe querystrings are encrypted via HTTPS.
link URLs are stored in web server logs - typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server
That's not relevant though. Of course the server can see the decrypted data. Otherwise it couldn't use the data. The point is whether someone along the route of the Internet would be able to read the data. If the server saves the data somewhere after the fact in cleartext has nothing to do with HTTPS. That could be true for __any__ encryption scheme. EDIT Although it is a good point about the IIS logs having querystring values decrypted -- and that is a bit nuts but there may be a setting to handle that on IIS. Ah, just found it. You just turn it off for specific fields (URI Query (cs-uri-query)) then the password via querystring woldn't be logged at all? A gotcha to know though: Select W3C Fields to Log (IIS 7)[^]
-
This query string isn't encrypted: https://www.codeproject.com/script/Forums/Edit.aspx?fid=1159&select=5451820&floc=/Lounge.aspx&action=r
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013If you like, Pualee are talking about encryption on the server side, then you are correct, data is not encrypted by some magical means once it gets to the server. Any scheme you would use will require you to encrypt the data in some way for storage once the data gets to your server. HTTPS is for secure communication over HTTP. Maybe you're looking for an auto-encrypted data stream to storage device? That's a totally different animal, right? EDIT Also, if you're saying because you can see the CP querystrings that proves that HTTPS doesn't encrypt querystrings...well that is because they expose querystrings here to create trackback links. If they didn't expose those then you'd never be able to sniff them out of the HTTP stream, because they are encrypted before they are sent to the server and only the server can decrypt them. That's the point of encryption for communication.
-
I spread cheer about Qlikview on a regular basis.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
That's not relevant though. Of course the server can see the decrypted data. Otherwise it couldn't use the data. The point is whether someone along the route of the Internet would be able to read the data. If the server saves the data somewhere after the fact in cleartext has nothing to do with HTTPS. That could be true for __any__ encryption scheme. EDIT Although it is a good point about the IIS logs having querystring values decrypted -- and that is a bit nuts but there may be a setting to handle that on IIS. Ah, just found it. You just turn it off for specific fields (URI Query (cs-uri-query)) then the password via querystring woldn't be logged at all? A gotcha to know though: Select W3C Fields to Log (IIS 7)[^]
Hidden fields within the form data are the way we go here. They are encrypted with the form, but not logged. You should never be able to reproduce a users password (thus the 1 way comparisons in the DB). If it was safe to have plain text passwords anywhere, there would be no need for this.
-
Hidden fields within the form data are the way we go here. They are encrypted with the form, but not logged. You should never be able to reproduce a users password (thus the 1 way comparisons in the DB). If it was safe to have plain text passwords anywhere, there would be no need for this.
-
I spread cheer about Qlikview on a regular basis.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013Yup the local plant life appreciates the shit you heap on Qlikview!
Never underestimate the power of human stupidity RAH
-
Hey John, Just use
RequireHttps.Nish Nishant Consultant Software Architect Ganymede Software Solutions LLC www.ganymedesoftwaresolutions.com
-
If you like, Pualee are talking about encryption on the server side, then you are correct, data is not encrypted by some magical means once it gets to the server. Any scheme you would use will require you to encrypt the data in some way for storage once the data gets to your server. HTTPS is for secure communication over HTTP. Maybe you're looking for an auto-encrypted data stream to storage device? That's a totally different animal, right? EDIT Also, if you're saying because you can see the CP querystrings that proves that HTTPS doesn't encrypt querystrings...well that is because they expose querystrings here to create trackback links. If they didn't expose those then you'd never be able to sniff them out of the HTTP stream, because they are encrypted before they are sent to the server and only the server can decrypt them. That's the point of encryption for communication.
No, I simply don't want people to be able to see the query string in the URL as anything more than a block of encrypted gibberish.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Hey John, Just use
RequireHttps.Nish Nishant Consultant Software Architect Ganymede Software Solutions LLC www.ganymedesoftwaresolutions.com
THAT'S.NOT.WHAT.I'M.TALKING.ABOUT.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
No, I simply don't want people to be able to see the query string in the URL as anything more than a block of encrypted gibberish.
".45 ACP - because shooting twice is just silly" - JSOP, 2010
-----
You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010
-----
When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013 -
Ah I get what you are saying. The QueryString itself should be encrypted in some way so you can pass it along, users could see it and have no idea what the values are. That's interesting.
He could just use Post instead of Get, or use something like Angular so the user won't see the QS.
Nish Nishant Consultant Software Architect Ganymede Software Solutions LLC www.ganymedesoftwaresolutions.com
