Fog Creek Software
Discussion Board




Are URL Addresses in a HTTPS connection encrypted?

Hi:

If I set up a 'https' connection to a webpage - the page itself is enrpyted betweem the browser and server.

Is the URL itself encrypted?

Placibo
Thursday, August 05, 2004

IIRC it is the entire connection that is "encrypted", so yes.

Matt B
Thursday, August 05, 2004

Keep in mind that the entire packet isn't decrypted - just the content.  So, while the HTTP header that contains you URL is encrypted, the IP address you request is flying off to is not - otherwise, it'd never get tehre.

Greg Hurlman
Thursday, August 05, 2004

get THERE.

Greg Hurlman
Thursday, August 05, 2004

I could be wrong, but if you want to encrypt the content and the networking information you need to use IPSec.

zigzag
Thursday, August 05, 2004

Even IPSec is basically IP-over-IP.  The intermediate routers need to know where to send the packets, so either they have to be in on the encryption (which they're not) or the outer-most IP header is plaintext.

If you want to encrypt even the destination, you'd have to set up your own proxy somewhere that was in on it, then you could send IP-over-your-own-encrypted-protocol to that proxy, which would make the real request.  Of course then people could just watch the packets coming out of that proxy, but if you get enough people using it (or send out enough bogus packets) it could be anonymous-ish.

Michael Kale
Thursday, August 05, 2004

actually, IPSec doesn't always do IP-over-IP.  I was thinking of a VPN.  But the outermost IP header is still plaintext ....

.. back to my coffee now.

Michael Kale
Thursday, August 05, 2004

When in doubt, run Ethereal.  Look at your packets.  They're pretty much what any snoop in the middle would see too.

Protocol adventurer
Thursday, August 05, 2004

Yeah, I'd recommend you run Ethereal too.

I once asked someone about this, and the concensus was no. It would be pretty damaging, I think, if too much HTTP information could be seen over an SSL connection.

www.MarkTAW.com
Thursday, August 05, 2004

SSL encrypts the entire connection.
Of course the IP address is visible, that's used for routing. You'd have to use some sort of redirection to hide that.

However, SSL supports many different stream encryption techniques. One of them is 'no encryption', which validates that the certificates are correct but doesn't actually encrypt anything. I don't know what you'd have to do to realistically get into that state, though there were bugs relating to that in the past. The steam encryption is negotiated by the client and server, and most web browsers will tell you what is being used if you look at the 'ssl' properties.

mb
Thursday, August 05, 2004

*  Recent Topics

*  Fog Creek Home