3

If a post request is sent from a client on a website without SSL, is the request secure?

For example, I visit a site badsecurity.com, and I login using a password:

  1. Will this password be encrypted if there is no SSL? (I am pretty sure it is not, unless it's https/ssl or there's some other encryption added to the form?)

  2. Is it possible for the post message to get intercepted somehow, say using a packet sniffer, and for the intruder to view the post request's text?

(I am not asking if post requests can be forged)

Improve this question

1 Answer 1

Reset to default
18

No. Not at all. They are sent in plaintext. Without SSL, a POST request is just as secure as a GET request. Sure, it may not show up in the URL, but it is not secure in any way.

Will this password be encrypted if there is no SSL?

No, the password will not be encrypted. The only reason it doesn't show up when you are typing it in is just the browser obscuring it so that people nearby cannot see your password in plaintext on your screen. It can be easily revealed by inspecting the DOM or using some javascript like this: javascript:alert($('input[type="password"]').value) .

Is it possible for the post message to get intercepted somehow, say using a packet sniffer, and for the intruder to view the post request's text?

This is absolutely possible, and very easy to do. A packet sniffer does exactly this, and can view POSTed usernames and passwords in plaintext. To someone sniffing HTTP requests, a POST request looks pretty much identical to a GET request, except a POST request has "POST" at the top instead of "GET."

You didn't ask, but yes, post requests can be forged as well.

Improve this answer
4
  • 3
    POST a teeeny tiny bit more secure than GET: POST parameters do not normally get logged by HTTP servers, GET parameters do. However, that's like worrying about losing a penny on a day you lost $100000. :P Commented Feb 28, 2014 at 3:30
  • If you want to see if your request is 'secure' a good HTTP Proxy is Fiddler - telerik.com/fiddler. This will show you the (unencrypted) data sent with the POST. Commented Feb 28, 2014 at 4:22
  • Does HTTPS protect POST requests on the client, or just in transit? Can data that I append to a HTTPS POST request be inspected by an end user? Commented Feb 22, 2022 at 20:22
  • @HashimAziz I think you just need to look up how https/TLS works. HTTPS uses TLS for securing communications between a client and server. Not sure what you mean exactly, but the client can of course decrypt what the server sends, because otherwise we would not be able to read html sent over https (for example). If you need to protect it from inspection by an end-user, then you'd need to encrypt it separately with a key that is not shared with the client. Commented Feb 23, 2022 at 21:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.