Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

If you use HTTPS will your URL params will be safe from sniffing? [duplicate]

Suppose I setup a simple php web server with a page that can be accessed by HTTPS. The URL has simple parameters, like https://www.example.com/test?abc=123.

Is it true that the parameter here in this case will be safe from people sniffing the packets? And would this be true if the server does not employ any SSL certificate?

like image 623
erotsppa Avatar asked May 21 '09 17:05

erotsppa


People also ask

Are URL parameters secure in HTTPS?

An encrypted HTTPS request protects most things: This is the same for all HTTP methods (GET, POST, PUT, etc.). The URL path and query string parameters are encrypted, as are POST bodies.

Does HTTPS hide URL params?

So, Are HTTPS URLS Encrypted? Yes, the full URL string is hidden, and all further communication, including the application-specific parameters. However, the Server Name Indicator that is formed from the hostname and domain name part of the URL is sent in clear text during the first part of the TLS negotiation.

Can a HTTPS URL be intercepted?

We found that between 4% and 10% of the web's encrypted traffic (HTTPS) is intercepted. Analyzing these intercepted connections further reveals that, while not always malicious, interception products most often weaken the encryption used to secure communication and puts users at risk.

What information could an attacker obtain from sniffing HTTPS traffic?

If there is any external file (Javscript, CSS, etc.) which is not over HTTPS, the full URL could be sniffed in the Referer header. Same if the user click on a link in the page that leads to an HTTP (no SSL) page. Also, DNS requests are not encrypted, so an attacker could know the user is going to mysite.com.


2 Answers

Yes your URL would be safe from sniffing; however, one hole that is easily overlooken is if your page references any third party resources such as Google Analytics, Add Content anything, your entire URL will be sent to the third party in the referer. If its really sensitive it doesn't belong in the query string.

As for your second part of the question, you can't use SSL if you don't have a certificate on the server.

like image 73
JoshBerke Avatar answered Nov 11 '22 05:11

JoshBerke


http://answers.google.com/answers/threadview/id/758002.html

HTTPS Establishes an underlying SSL connection before any HTTP data is transferred. This ensures that all URL data (with the exception of hostname, which is used to establish the connection) is carried solely within this encrypted connection, and is protected from man-in-the-middle attacks in the same way that any HTTPS data is.

All HTTP-level transactions within an HTTPS connection are conducted within the established SSL session, and no query data is transferred before the secure connection is established.

From the outside the only data that is visible to the world is the hostname and port you are connecting to. Everything else is simply a stream of binary data which is encrypted using a private key shared only between you and the server.

In the example you provide your browser would do this:

  1. Derive hostname (and port if present) from URL.
  2. Connect to host.
  3. Check certificate (it must be 'signed' by a known authority, applied specifically to correct IP address and port, and be current).
  4. The browser and server exchange cryptographic data and the browser receives a private key.
  5. The HTTP request is made, and encrypted with established cryptography.
  6. HTTP response is received. Also encrypted.

HTTP is an 'Application Layer' protocol. It is carried on top of the secure layer. According to the SSL specification, drawn up by Netscape, it dictates that no application layer data may be transmitted until a secure connection is established - as outlined in the following paragraph:

"At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data." http://wp.netscape.com/eng/ssl3/draft302.txt

So yes. The data contained in the URL query on an HTTPS connection is encrypted. However it is very poor practice to include such sensitive data as a password in a 'GET' request. While it cannot be intercepted, the data would be logged in plaintext server logs on the receiving HTTPS server, and quite possibly also in browser history. It is probably also available to browser plugins and possibly even other applications on the client computer. At most a HTTPS URL could be reasonably allowed to include a session ID or similar non-reusable variable. It should NEVER contain static authentication tokens.

The HTTP connection concept is most clearly explained here: http://www.ourshop.com/resources/ssl_step1.html

like image 37
Ray Hayes Avatar answered Nov 11 '22 05:11

Ray Hayes