Yes you are right, my mistake, though querystrings are often written in
plaintext to server logs. Also, OAuth should be able to work securely
in a non-SSL secured context, so having sensitive oauth data anywhere in
the request is a bad idea ( and against the specification ).
Cameron Kaiser wrote:
Just an FYI, there should be nothing sensitive in an OAuth URI... Which
is a good thing because even under SSL nothing in a querystring is
encrypted.
No. SSL is below the HTTP layer, meaning that the connection has to be set
up before the HTTP GET is even sent.
Of course, there are other ways to figure it out, such as DNS requests made,
etc.
