|Main Archive Page > Month Archives > full-disclosure-uk archives|
On Tue, 27 Jan 2009 00:41:59 GMT, firstname.lastname@example.org said:
> What if you are sniffing the traffic for any http session the information is
> submitted in clear text.
If you're traffic sniffing, you'll see the data whether it's GET or POST. The distinction becomes important for things like http proxies and things that log/remember URLs - it's somewhat bad form to leave a userid/password sitting right there in the browser 'recent URLS' list or in a logfile someplace.
Yes, the proper thing to do here is a POST over https.
Personally, I'm surprised that a frikking *domain registrar* is that clueless about basic security (the *biggest* issue in what would otherwise be a pretty minor vulnerability).
Or maybe I'm not, actually.. I wonder what *else* they got wrong?