This is not true.
Query parameters are encrypted when you are on HTTPS. What is not secure is HTTP.
You see those params in your browser because well, that’s where it originates. And you get to see those again where the request terminates i.e. khadi’s server. Everything in between is over an encrypted channel.
Khadi & Village Industries Corporation website allows both HTTP and HTTPS. It’s only when you use a HTTP connection that your data travels unencrypted. It appears, from your screenshot, that you were using HTTPS. Your data is probably fine.
So, you have nothing to worry as long as:
- The SSL certificate had no warnings/errors
- The private key used to initiate the SSL connection is not compromised
Which brings us to the question: How good is KVIC’s cert? Turns out, it’s not so good either:
This “Chain issues” is a warning – but one that can most likely be ignored (Khadi’s server is just being unhelpful by not sending you the whole cert chain, and making your browser work harder to verify the cert and OSCP stapling). And then it goes on to use a few weak ciphers. You can find the full result here.
Finally, just because we are on HTTPS, does it mean we should be passing sensitive data via query parameters? Absolutely not. That’s because query parameters are often logged (by default) in webserver log files – leading to an actual PII leak.
So, please take some time to understand your threat model before you jump to conclusions.