|
raddevus wrote: everything between browser and server are encrypted
Apart from the domain name, which needs to be sent unencrypted for SNI:
Server Name Indication - Wikipedia[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: Apart from the domain name, which needs to be sent unencrypted for SNI
Ah, good additional information.
So an attacker could at least know which domain you are going against. Interesting.
But of course the rest of the info specific URL, querystrings, etc are safe.
Thanks for the addt'l info.
|
|
|
|
|
raddevus wrote: Also, I believe querystrings are encrypted via HTTPS.
link
URLs are stored in web server logs - typically the whole URL of each request is stored in a server log. This means that any sensitive data in the URL (e.g. a password) is being saved in clear text on the server
|
|
|
|
|
That's not relevant though. Of course the server can see the decrypted data.
Otherwise it couldn't use the data.
The point is whether someone along the route of the Internet would be able to read the data.
If the server saves the data somewhere after the fact in cleartext has nothing to do with HTTPS.
That could be true for __any__ encryption scheme.
EDIT
Although it is a good point about the IIS logs having querystring values decrypted -- and that is a bit nuts but there may be a setting to handle that on IIS.
Ah, just found it. You just turn it off for specific fields (URI Query (cs-uri-query)) then the password via querystring woldn't be logged at all? A gotcha to know though:
Select W3C Fields to Log (IIS 7)[^]
modified 6-Nov-17 15:00pm.
|
|
|
|
|
Hidden fields within the form data are the way we go here. They are encrypted with the form, but not logged. You should never be able to reproduce a users password (thus the 1 way comparisons in the DB). If it was safe to have plain text passwords anywhere, there would be no need for this.
|
|
|
|
|
Agree! Great, interesting discussion.
|
|
|
|
|
This query string isn't encrypted:
https://www.codeproject.com/script/Forums/Edit.aspx?fid=1159&select=5451820&floc=/Lounge.aspx&action=r
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
If you like, Pualee are talking about encryption on the server side, then you are correct, data is not encrypted by some magical means once it gets to the server.
Any scheme you would use will require you to encrypt the data in some way for storage once the data gets to your server.
HTTPS is for secure communication over HTTP.
Maybe you're looking for an auto-encrypted data stream to storage device?
That's a totally different animal, right?
EDIT
Also, if you're saying because you can see the CP querystrings that proves that HTTPS doesn't encrypt querystrings...well that is because they expose querystrings here to create trackback links. If they didn't expose those then you'd never be able to sniff them out of the HTTP stream, because they are encrypted before they are sent to the server and only the server can decrypt them.
That's the point of encryption for communication.
|
|
|
|
|
No, I simply don't want people to be able to see the query string in the URL as anything more than a block of encrypted gibberish.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
Ah I get what you are saying. The QueryString itself should be encrypted in some way so you can pass it along, users could see it and have no idea what the values are.
That's interesting.
|
|
|
|
|
He could just use Post instead of Get, or use something like Angular so the user won't see the QS.
|
|
|
|
|
You know what I enjoy about your posts John... I know every time I read one it's filled with positivity and joy and always brightens my day. It's nice to know you never complain and that you're doing your part to help spread the cheer. Thank you for your service.
Jeremy Falcon
|
|
|
|
|
I spread cheer about Qlikview on a regular basis.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
You're absolutely right, every time I read one of your posts about Qlikview I'm downright giddy with excitement because I've never had to use it (and hopefully never will).
|
|
|
|
|
Yup the local plant life appreciates the sh*t you heap on Qlikview!
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Of course it does, by being completely protocol agnostic. An Ops concern is not, and shouldn't be, a Developer concern.
"There are three kinds of lies: lies, damned lies and statistics."
- Benjamin Disraeli
|
|
|
|
|
Hey John,
Just use RequireHttps .
|
|
|
|
|
Starting to think people post kid pics in their profiles because that was the last time they were cute - Jeremy Falcon.
|
|
|
|
|
THAT'S.NOT.WHAT.I'M.TALKING.ABOUT.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
|
|
|
|
|
Is the cost of doing business with Nigeria “Phisher Price”?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Stop toying with us.
/ravi
|
|
|
|
|
He'll never lego of this thing.
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
Yes. I recommend dealing with Wales. That is much sheeper.
... such stuff as dreams are made on
|
|
|
|
|
nah, try Hungary, there's nothing they won't take
Installing Signature...
Do not switch off your computer.
|
|
|
|
|
I'd suggest turkey - but not if you like grease.
|
|
|
|