> The difference in security between GET and POST is about the same as level ground vs. a finger nail sized piece of tissue paper on that same level ground, since it would have only stopped someone so incompetent to not have been a threat anyway.
Query strings (GET) are visible to other sites as the referer, and end up in their logs, which may well end up on Google. So if you're okay with the information being displayed with someone does a search for your domain name, it's okay for it to be in the query string. GET is for GETting publicly available documents, and the query string can be used to identify the document. The query string is also visible to third-party JavaScript and .. well just about everybody. So it's in no way private. Additionally, note that any number of people can GET this post and read it and that causes no problems. It can be cached and people can get it without the server knowing and that's fine.
POST is used to take actions, such as POSTing a message on Slashdot, logging in, logging out, deleting something, etc. That data isn't visible to other sites you visit. It's not part of the REFERER, or document.location, etc. Assuming either SSL or no MITM by someone with access to your network, POST data is private. Additionally, POST explicitly means it has some effect, so it should not be repeated, cached, etc. If you confuse the two, doing something (such as creating a Slashdot post) based upon a GET request, you my well end up doing the action multiple times when it should have been done only once, or not doing it at all when it should have been, because the request was answered by a cache. It's not okay to add four hard drives to my shopping cart when I click "Add to cart" once, so not knowing and respecting the difference is a significant security issue.