70

Is a POST secure enough to send login credentials over?

Or is an SSL connection a must?

Matt
  • 4,659
  • 11
  • 37
  • 45
  • See previous question (http://stackoverflow.com/questions/1008539/how-secure-is-a-http-get-when-the-data-is-url-encoded). – Matthew Flaschen Jun 17 '09 at 18:12
  • 7
    Hey Matt, before you ask, yes, you need to hash the login password that you store on the server. – erickson Jun 17 '09 at 18:13
  • 1
    I think it is a serious question. Check out Matt's other questions and you will see that he is probably a novice, hence the seemingly naive question. – JohnFx Jun 17 '09 at 18:15
  • 3
    @JohnFX: Nothing wrong with that! – Andy Mikula Jun 17 '09 at 18:22
  • 3
    It is a serious question. I thought that since the data wasn't passed in the querystring that it was not easily retrievable by hackers. I just used login credentials as an example because I know a lot of people get concerned when it comes to the way programmers deal with credentials. – Matt Jun 20 '09 at 17:16
  • Only if you like sending your passwords in clear text. – 3Dave Mar 14 '10 at 16:36
  • If I run my own testing server [used for playing with the code, not for admin stuff] and I only connect to it from my desktop, then I don't need to secure my login credentials. Of course, for everything else I should use SSH. – SamGoody Feb 10 '14 at 10:31

14 Answers14

84

SSL is a must.

POST method is not more secure than GET as it also gets sent unencrypted over network.

SSL will cover the whole HTTP communication and encrypt the HTTP data being transmitted between the client and the server.

HosseyNJF
  • 449
  • 1
  • 7
  • 17
Gumbo
  • 594,236
  • 102
  • 740
  • 814
  • 8
    A must? For a My Little Pony fan forum? Is a ptarmigan shielded terminal, quantum encryption and a tested leased line also required? – Martin Beckett Jun 17 '09 at 18:09
  • 13
    @mgb: Leased? You've got to be kidding me. If you don't own the copper all the way through, how can you be sure it's secure?! – Andy Mikula Jun 17 '09 at 18:12
  • 134
    Yes, because people use the same password for My Little Pony fan forum and their bank account. – erickson Jun 17 '09 at 18:12
  • 71
    ponygirl88 wanted an account and Mommy created it for her. Mommy used the same username and password that she uses for her investment account. MLP Developer forgot to require authentication over SSL. Mommy lost all the money and now ponygirl88 can't go to college. Just use SSL. – yfeldblum Jun 17 '09 at 18:13
  • 2
    @erickson: I know that was supposed to be sarcastic, but people do use the same password for -everything-, and they have trouble remembering even that. – Andy Mikula Jun 17 '09 at 18:20
  • 13
    It wasn't sarcasm. I'm not sure why you would think it was. It's a huge problem; most programmers don't even grasp the problem, and its unreasonable for those that do to expect "normal" people to worry about it. – erickson Jun 17 '09 at 18:27
  • 1
    SSL is a must because without it, anyone could intercept your users login and gain access to that account and possibly even an admin level account. This happens all the time on forum type sites. Next thing you know your my little pony site will be full of Gucci bag ads, and probably a lot worse. If you use SSL and send login and confidential information in the body of the post request it will be encrypted and protected. If you use a "GET" request even with SSL this data will be in the URL, again every server between the user and destination will have a copy of this data in their logs. – Agile Noob Oct 11 '16 at 14:14
  • Hey @MartinBeckett, this is an OLD comment but FYI Google, Amazon, Facebook announced they are going ALL HTTPS for now on. Google is also prioritizing HTTPS sites over HTTP. Basically everyone is moving to HTTPS now so you gotta get with it ;) – Katie Jan 31 '17 at 22:57
  • 1
    hey @KatieS a shame that they now sell the same info we are all trying to protect. We need to shift to a new platform to re claim the internet from the Facebook mafia. – sijpkes Oct 15 '18 at 00:02
  • 1
    @sijpkes very true, they are taking our information for themselves to profit off of! – Katie Oct 15 '18 at 16:43
  • And after you go through implementing the use of SSL/TLS you can then start to worry about how to secure the data from someone running a tool like fiddler where it intercepts and decodes encrypted HTTPS traffic coming from the local machine ... – jonchicoine Nov 21 '19 at 13:41
42

<shameless plug>I have a blog post that details what an HTTP request looks like and how a GET request compares to a POST request. For brevity's sake, GET:

GET /?page=123 HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF

and POST:

POST / HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF
CRLF
page=123

(The CRLF is just a newline)

As you can see, the only differences from the standpoint of how a request is formed* is that a POST request uses the word POST and the form data is sent in the body of the request vs the URI. Thus, using HTTP POST is security by obscurity. If you want to protect data, you should use SSL.

* Note that there are other differences.

Jason Baker
  • 171,942
  • 122
  • 354
  • 501
8

That depends on your circumstances, how much would the interception of the credentials cost somebody?

If it's just a login to a software Q+A site then SSL might not be necessary, if it's an online banking site or you store credit card data then it is.
This is a business not a techncial decision.

Martin Beckett
  • 90,457
  • 25
  • 178
  • 252
  • 1
    Malfist: People reuse passwords all the time, but if you intercept a random password, do you know where else to use it? – TheTXI Jun 17 '09 at 19:18
  • 2
    if you are listening to traffic to grab credentials you can see any site the user visits. SSL does not hide the address, just the data – Jim Jun 17 '09 at 19:46
  • 1
    Fair point Malfist - but, "you MUST do X" answers where X is SSL, unit testing, backups, RAD etc without questioning the cost/benefit are almost always the wrong answer. In this case gumbo was correct to point out to the OP that POST is no more secure than GET. – Martin Beckett Jun 17 '09 at 21:30
6

HTTP POST is not encrypted, it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customised logging level. Yes, POST is better than GET because POST data is not usualy logged by a proxy or server, but it is not secure. To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser (see RFC 2617). Remember that (home grown) encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg. realm) before encrypting (see RFC 2617 for how it is done in Digest Auth).

user124546
  • 71
  • 2
5

SSL is a must :)

HTTP Post is transmitted in plain text. For an example, download and use Fiddler to watch HTTP traffic. You can easily see the entire post in there (or via a network traffic monitor like WireShark)

Ken Pespisa
  • 21,026
  • 3
  • 53
  • 61
4

It is not secure. A POST can be sniffed just as easily as a GET.

driis
  • 151,614
  • 43
  • 262
  • 332
2

No...POST is not secure enough at all. SSL is a MUST.

POST only effectively hides the parameters in the query string. Those parameters can still be picked up by anybody looking at the traffic in between the browser and the end point.

Justin Niessner
  • 229,755
  • 35
  • 391
  • 521
2

The most secure way is to not send credentials at all.

If you use Digest Authentication, then SSL is NOT a must.

(NB: I am not implying that Digest Authentication over HTTP is always more secure than using POST over HTTPS).

ykaganovich
  • 13,997
  • 7
  • 55
  • 90
1

POST is plaintext.

A secure connection is a must.

That's why it's called a secure connection.

yfeldblum
  • 63,188
  • 11
  • 126
  • 168
1

A POST request alone is not secure because all the data is "traveling" in plain text.

You need SSL, to make it secure.

rogeriopvl
  • 42,645
  • 7
  • 51
  • 58
1

No, use SSL.

With POST the values are still submitted as plain text unless SSL is used.

TWA
  • 12,307
  • 12
  • 56
  • 89
1

The only difference between HTTP GET and HTTP POST is the manner in which the data is encoded. In both cases it is sent as plain-text.

In order to provide any sort of security for login credentials, HTTPS is a must.

You do not need an expensive certificate to provide HTTPS either. There are many providers that will issue very basic certificates for about $20USD. The more expensive ones include identity verification which is more of a concern for e-commerce sites.

tadman
  • 194,930
  • 21
  • 217
  • 240
  • Eddy Nigg's [Startcom](https://www.startcom.org/) will issue a certificate for [free](https://www.startssl.com/?app=25#90). Their certificates are trusted by [most browsers](https://www.startssl.com/?app=40). They charge for revocation because that's where most of the cost lies. – jww Sep 27 '13 at 06:54
0

POST data is sent in plain text if you are using an unencrypted HTTP connection. IF this is secure enough depends on your usage (hint: it's not).

If both the server, the client machine and ALL MACHINES BETWEEN THEM are part of a controlled, fully trusted network, this may be ok.

Outside of these very limited circumstances (and sometimes even within them) plain text authentication is asking for trouble.

0

Please see this great article:

Protect Against Malicious POST Requests

https://perishablepress.com/protect-post-requests/

SandroMarques
  • 4,186
  • 34
  • 36