security - Can one's post request data be sniffed?

Question

I apologize, I am new to this and assume that I will mix some terms up.

I am trying to setup Google clientLogin and I am worried about sending my private information in the POST request.

From what I am reading, you have to create a post request to the URL they specify (https://www.google.com/accounts/ClientLogin) and POST the following data:

Email=<username>&Passwd=<password>&service=youtube&source=<source>

But if this request is just going over the wire, can't someone just sniff these requests and get your login information?

Is it encrypted because it is https? Would I only have to worry about this with http?

To be honest I am quite confused doing all this and if in addition to an answer to my question someone can point me to a good tutorial to using Google Maps with private Fusion tables I will send positive thoughts your way!

Answer 1

• HTTP requests go over the wire in plaintext - and thus can be sniffed easily.
• HTTPS are HTTP requests made through the Secure Socket Layer (SSL), which provides data encryption between the client and the server, identifies the server, and (optionally) identifies the client.

So, although it's possible to sniff the encrypted data, they can be considered secure while in transit - in other words, an attacker would not see the plaintext.

There are various attacks on HTTPS, but the most common are easily detectable, e.g. if you get a certificate error on a HTTPS site that used to work normally, this may be a sign of an attempted attack. For additional reading, see the questions tagged SSL on security.stackexchange.com

Long story short: POST over HTTPS is much more secure than over HTTP. (You still need to handle the data carefully on client- and server-side, HTTPS is a transport protection)

See also: https://security.stackexchange.com/questions/5/does-an-established-ssl-connection-mean-a-line-is-really-secure