How secure is a HTTP POST?

Is a POST secure enough to send login credentials over?

Or is an SSL connection a must?

SSL is a must.

POST method is not more secure than GET as it also gets sent unencrypted over network.

SSL will cover the whole HTTP communication and encrypt the HTTP data being transmitted between the client and the server.

<shameless plug>I have a blog post that details what an HTTP request looks like and how a GET request compares to a POST request. For brevity's sake, GET:

GET /?page=123 HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF

and POST:

POST / HTTP/1.1 CRLF
Host: jasonmbaker.wordpress.com CRLF
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-us) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1 CRLF
Connection: close CRLF
CRLF
page=123

(The CRLF is just a newline)

As you can see, the only differences from the standpoint of how a request is formed* is that a POST request uses the word POST and the form data is sent in the body of the request vs the URI. Thus, using HTTP POST is security by obscurity. If you want to protect data, you should use SSL.

* Note that there are other differences.

That depends on your circumstances, how much would the interception of the credentials cost somebody?

If it's just a login to a software Q+A site then SSL might not be necessary, if it's an online banking site or you store credit card data then it is.
This is a business not a techncial decision.

HTTP POST is not encrypted, it can be intercepted by a network sniffer, by a proxy or leaked in the logs of the server with a customised logging level. Yes, POST is better than GET because POST data is not usualy logged by a proxy or server, but it is not secure. To secure a password or other confidential data you must use SSL or encrypt the data before you POST. Another option would be to use Digest Authentication with the browser (see RFC 2617). Remember that (home grown) encryption is not enough to prevent replay attacks, you must concatenate a nonce and other data (eg. realm) before encrypting (see RFC 2617 for how it is done in Digest Auth).

SSL is a must :)

HTTP Post is transmitted in plain text. For an example, download and use Fiddler to watch HTTP traffic. You can easily see the entire post in there (or via a network traffic monitor like WireShark)

It is not secure. A POST can be sniffed just as easily as a GET.

No...POST is not secure enough at all. SSL is a MUST.

POST only effectively hides the parameters in the query string. Those parameters can still be picked up by anybody looking at the traffic in between the browser and the end point.

No, use SSL.

With POST the values are still submitted as plain text unless SSL is used.

The most secure way is to not send credentials at all.

If you use Digest Authentication, then SSL is NOT a must.

(NB: I am not implying that Digest Authentication over HTTP is always more secure than using POST over HTTPS).

POST is plaintext.

A secure connection is a must.

That's why it's called a secure connection.

A POST request alone is not secure because all the data is "traveling" in plain text.

You need SSL, to make it secure.

The only difference between HTTP GET and HTTP POST is the manner in which the data is encoded. In both cases it is sent as plain-text.

In order to provide any sort of security for login credentials, HTTPS is a must.

You do not need an expensive certificate to provide HTTPS either. There are many providers that will issue very basic certificates for about $20USD. The more expensive ones include identity verification which is more of a concern for e-commerce sites.

Please see this great article:

Protect Against Malicious POST Requests

https://perishablepress.com/protect-post-requests/

POST data is sent in plain text if you are using an unencrypted HTTP connection. IF this is secure enough depends on your usage (hint: it's not).

If both the server, the client machine and ALL MACHINES BETWEEN THEM are part of a controlled, fully trusted network, this may be ok.

Outside of these very limited circumstances (and sometimes even within them) plain text authentication is asking for trouble.