They are using it to make sure the value doesn't interfere with the syntax of HTTP headers, i.e. for escaping, not for encryption. That's exactly what base64 is for. They simply have no encryption at all.

Can email interfere with HTTP headers though? There's no \r\n, ";" or "=" in valid email.

Anyway, I have seen sites where it was used as a security measure. Or so the authors thought I guess. Storing login password in url parameter? Seems safe if it is encoded.. But it was years ago.

Actually, the '=' character is allowed. [1]

[1] http://tools.ietf.org/html/rfc5322#section-3.2.3

It sounds like you confused encoded with encrypted, encoded is no different than plain-text. The encoding is just to get a valid string for the URI (so a password can contain special URI characters) and is instantly reversible.

No, I haven't. Should have put the "security measure" in the quotes.

>There's no \r\n, ";" or "=" in valid email.

Both ; and = are perfectly valid.

Did not know that, thanks for pointing that out. In that case the encoding is necessary. On top of that I just found out that even Unicode characters are permitted (RFC 6531).

Exactly. Initially, I was confused by this statement too.

There's nothing wrong w/ base64 encoding; however, one needs to apply it to the correct context like applying it to: hashes, avoid text collision/escaping chars, or just embedding plain old non-sensitive binary data in text.

This is also used as encyption in many projects. It's incredible and crazy stuff. http://www.codango.com/asp/fnc/review-hot/?id=2303410

It's very easy to Google and see tons of sites using it. Many sites using it got serous security flaws.