If I make a classic website with a form like this:
<form method="GET" action="page2.php">
<input name="email" />
</form>
Then the email will be visible in the address bar; www.example.com/[email protected], there-for we have POST to hide it.
<form method="POST">
and you can no longer see it clearly in the browser address bar.
I am wondering does this mean that linking from website A (httpS://) to website B: httpS://www.other-domain.com/[email protected] and then website B picks up email and hides it directly would be secure? Since it's practically the same as the GET example above?
OR is this insecure somehow because the Query String is available to DNS servers when clicking the link? If you are already at a page then perhaps it doesn't need to do any DNS lookup again after submitting forms - there-by no leaking information?
Both websites using SSL/HTTPS and both websites are self-owned and trusted.
To clarify I am mainly interested weather the information could be leaked in network connections by doing this.
The point is to understand what the game is about and what we want to achieve by not allowing sensitive data to be put into URLs and get requests.
Well, the reason is, that even if we use TLS and encrypt the communication channel, every reverse proxy/load balancer along the way after unencrypting the message will be allowed to log out the request header for debug purposes. This may spread the sensitive information over places where it should not appear.
The other problem is that people may share URLs they find in their browsers tab just because they can, which is why we consider secrets in URL a design flaw.
The query string will not be made available to DNS servers no matter the case.
As you see it is not like the world will burn if you decide to pass email over a GET request like this. It is more like if you can do without, do without.