On Tue, 27 Jan 2009 00:41:59 GMT, infolookup@xxxxxxxxx said: > What if you are sniffing the traffic for any http session the information is > submitted in clear text. If you're traffic sniffing, you'll see the data whether it's GET or POST. The distinction becomes important for things like http proxies and things that log/remember URLs - it's somewhat bad form to leave a userid/password sitting right there in the browser 'recent URLS' list or in a logfile someplace. If you're passing the data in the URL, at best it can be obfuscated and reversed fairly easily (unless you've got enough Javascript to pop open a dialog window and use an entered value as a salt for encrypting before transmission). Yes, the proper thing to do here is a POST over https. Personally, I'm surprised that a frikking *domain registrar* is that clueless about basic security (the *biggest* issue in what would otherwise be a pretty minor vulnerability). Or maybe I'm not, actually.. I wonder what *else* they got wrong?
Attachment:
pgp7MvM4E6DoX.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/