Can data included in a URL be considered secure if the connection is made over HTTPS? For example, if a user clicks a link in an email that points to https://mysite.com?mysecretstring=1234 would it be possible for an attacker to grab "mysecretstring" from the URL?
SnapOverflow
The entire HTTP request (and response) is encrypted, including the URL.
But yes, there is a way an attacker could grab the full URL: through the Referer header. If there is any external file (Javscript, CSS, etc.) which is not over HTTPS, the full URL could be sniffed in the Referer header. Same if the user click on a link in the page that leads to an HTTP (no SSL) page.
Also, DNS requests are not encrypted, so an attacker could know the user is going to mysite.com.
No, they can see the connection ie mysite.com but not the ?mysecretstring=1234 the https is server to server
They would need to have the encryption key. Theoretically this is not possible but any good attack could. This is the whole purpose of SSL to encrypt all data sent to and from the server to prevent being able to sniff.
Keep your weblogs secure, or, don't even write them. If you get a remote exploit where the logs can be read, any URL data will be visible in the logs.
Only if they are able to sniff the https auth through some kind of spoofing