[ShinTakuya]

No, https encrypts the URL as well (although the domain itself can be leaked via DNS). But in most respects query params are no different to the body security wise. The main difference is that if you bookmark it, you may end up storing your sensitive data in your bookmarks.

[zwp]

Query params often end in stuff like web server (WAF, load-balancer, reverse proxy, ...) access logs and they might get accidentally exposed.

They shouldn't get exposed of course, but they do. [EDIT: redacted an example of some random dude's access log]

If you search for "password" in there you will likely see a new Mirai bot variant [1] bouncing credentials off the server looking for weblogin.cgi on vulnerable Zyxel devices.

I imagine PA highlit this detail in their post ("weblogin.cgi accepts both HTTP GET and POST") exactly to ensure sure defenders don't restrict themselves to blocking or investigating only the more normal POST mechanism.

[1] https://unit42.paloaltonetworks.com/new-mirai-variant-mukash...

[ShinTakuya]

Yeah that's a fair point. So the security is worse in that sense, so many ways to leak it. It'd be insanity to put sensitive info in the query params either way. It's just not the appropriate place for them.

[x86_64Ubuntu]

I had no clue the URL was encrypted too. So how does DNS work? Or does it send through plaintext the name of the server, and the rest of the URL has to be encrypted by the endpoint.

[hannasanarion]

The domain name is not encrypted, but the path and querystring are.

So, a spy watching your https traffic knows that you're interacting with news.ycombinator.com (and possibly other things), but they don't know anything that goes after the `/`: which thread, whether you're POSTing or GETting, or of course any of the content.