Possible Duplicate:
How secure is a HTTP POST?
Suppose I have a login page in php where a user is required to enter his name and password. form method
is post in this case.
Now someone(my friend) told me that the information(username and password) that is entered and sent to the server can be hacked just by fetching the header of the resulting page generated. So you should encrypt the header and that is why HTTPS is used.
This didn't make sense to me because I thought the information (username and password) sent via post
method are completely secure and just by header hacking one cannot have access to to the username and password.
Is my friend correct? If no is there any way to do such stuff for someone who has no access to the code? How can I send my private information via HTTPS (page to be coded in php)?
EDIT:
Data through get
method is sent via header. Right? Is data through post
also sent via header?
It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.
Having a strong and separate password for your email means that if cyber criminals steal the password for one of your less-important accounts, they can't use it to access your email account. The NCSC encourages people to use password managers, which can create strong passwords for you (and remember them).
GET is less secure than POST because sent data is part of the URL. POST is a little safer than GET because the parameters are stored neither in the browser history nor in the web server logs.
Your password is not secure if you just send it with POST - still visible and unencrypted, albeit a tiny bit less obvious.
Sending an unencrypted password via POST is the most insecure, yet still relatively sane way of doing this. (yes, there are less secure ways, but those are completely insane - sending a password form through GET is about as secure as broadcasting it on TV or printing it in the newspaper).
This is what a typical GET request looks like:
GET http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Here's a similar POST request (note that you can send both GET and POST parameters in a POST request):
POST http://somedomain.example.com/path/file?here=are&the=GET¶meters=.
X-Some-Header: header content
X-Another-Header: 1
Content-Length: 40
with_POST&=the&content=is&here_in=the&request=body
As you can see, HTTP is a completely plaintext protocol - there is no encryption performed on the data, so anyone can view and/or modify it in transit. Access to the code is not necessary at all - just watch the traffic and your data will be there, for anyone to see (you can verify this with tools such as Wireshark which allows you to view network traffic).
To remove this need to trust the whole world, HTTPS (S is for Secure) was created, which provides encryption ("only the sender and receiver can read it") and authentication ("the server is indeed yourserver.example.com, and not evilserver.example.net").
HTTPS is a wrapper around HTTP: where with HTTP, the client connects to the webserver and starts the conversation, HTTPS first establishes a secure SSL tunnel, and the HTTP communication goes through that. Setting up a HTTPS server is a bit more complex than HTTP, see e.g. this article.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With