Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

With HTTPS, are the URL and the request headers protected as the request body is?

Tags:

security

https

ssl

Just want to verify, when making a SSL connection (http post) to say:

https://www.example.com/some/path?customer_key=123123123

If you don't want anyone to know about customer_key, this approach will not work even if I am making a https connection correct?

All data that I want secured has to be in the request body right?

like image 452
codecompleting Avatar asked Jan 13 '12 22:01

codecompleting

People also ask

Are headers protected by HTTPS?

Yes, headers are encrypted. It's written here. Everything in the HTTPS message is encrypted, including the headers, and the request/response load.

Is the URL encrypted in HTTPS?

So, Are HTTPS URLS Encrypted? Yes, the full URL string is hidden, and all further communication, including the application-specific parameters. However, the Server Name Indicator that is formed from the hostname and domain name part of the URL is sent in clear text during the first part of the TLS negotiation.

What is HTTPS protected?

HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data between the user's computer and the site. Users expect a secure and private online experience when using a website.

What is HTTPS request header?

An HTTP header is a field of an HTTP request or response that passes additional context and metadata about the request or response. For example, a request message can use headers to indicate it's preferred media formats, while a response can use header to indicate the media format of the returned body.

2 Answers

Quoting the HTTPS RFC:

When the TLS handshake has finished. The client may then initiate the first HTTP request. All HTTP data MUST be sent as TLS "application data".

Essentially, the secure SSL/TLS channel is established first. Only then the HTTP protocol is used. This will protect all the HTTP traffic with SSL, including HTTP headers (which contain the URL and cookies).

What may be visible in the handshake is the host name itself, since it's contained in the server certificate which will be visible in clear in the handshake (and it's often easy to guess the host name by looking at the destination IP address anyway).

When using Server Name Indication, the requested host name should also be visible in the server_name extension in the ClientHello message. Otherwise, there may be a bit of ambiguity (for the eavesdropper) to guess the host name from the certificate if the certificate is valid for multiple host names (e.g. multiple Subject Alt. Names or wildcards). In this case eavesdropping the DNS request from the client might give the attacker a clue.

Reading other people's answers and comments, some mention issues about Referer (lost an r in the spec) and logs.

  • Referrers shouldn't be sent when going from HTTPS to HTTP (but they are often sent when going from one HTTPS site to another HTTPS site).
  • About the history: you'll just have to trust whoever can potentially get that key legitimately (i.e. your users) not to spread it around. If needed, have a strategy to change it once in a while.
  • About the logs: I was assuming you were after protection over the network. The URL (including query) will be in the logs indeed, but if someone is able to attack your machine so as to get the logs, you have more to worry about that your app keys.

One of the remaining potential weak points is how you give that link to the user. If it's embedded in a web-page served over plain HTTP, anyone who can read that page would be able to see it. You should serve such a page over HTTPS too. If you send that link by e-mail instead, I'd say all bets are off, since mail servers rarely encrypt the connections between themselves and users also often to access their e-mail account without any encryption.

EDIT:

In addition, if you're using client-certificate authentication, the client certificate will be visible if it is negotiated during the initial handshake. This may leak the name of the user accessing the website (often Subject DNs contain the user name). The client certificate will not be visible if it is sent during a re-negotiated handshake.

like image 170
Bruno Avatar answered Oct 19 '22 06:10

Bruno

Only www.example.com will be visible to snoopers. The path section of the request is protected by SSL/TLS.

Obviously, you need to have sent original the hyperlink by HTTPS, too.

like image 26
artbristol Avatar answered Oct 19 '22 08:10

artbristol
Sign in to Comment

Related questions

Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
PHP $_SESSION for multiple users at once
The data protection operation was unsuccessful on Azure using OWIN / Katana
Do java's Inner classes pose a security risk?
Set httpOnly and secure on PHPSESSID cookie in PHP
api security implementation php
Creating feature in mac app to override the users security setting
How to does the token prevent csrf attack?
Hashing a session fingerprint really necessary?
Attacking Python's pickle
What are the risks of PHP sessions?
How is it possible to access memory of other processes?
Websocket Security
Storing SSL cert in source control
Where to store a JWT token?
Storing Credentials in Local Storage
How do I prevent session hijacking by simply copy a cookie from machine to another?
Purpose of JSLint "disallow insecure in regex" option
What good ways are there to prevent cheating in JavaScript multiplayer games?
Must logins be a https page

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!