Fog Creek Software
Discussion Board




Are some parts of a URL encrpted under HTTPS?

Hi:

If there is a URL e.g https://www.somecompany.comindex.cfm?loc=store/soft_main&store_id=3&parentID=882&CFID=98882&CFTOKEN=9360

Are part of the URL encrypted during https transmission between server and browser - i.e. the token

Placibo
Wednesday, August 11, 2004

no

URL Man
Wednesday, August 11, 2004

yes. all of it.

mb
Wednesday, August 11, 2004

The questions deals with only the URL - not the page.

I don't think any of the URL is encrypted even under https.

Not a Savant
Wednesday, August 11, 2004

why not?

mb
Wednesday, August 11, 2004

If the URL was encrypted, how would any router know where to send the request?    They don't have the SSL Key that is stored on the server.

Just run Netmon or similar, you'll see it for yourself.

URL Man
Wednesday, August 11, 2004

the same way the router knows how to send the packets for an FTP session or telnet or irc or whatever.

Routers don't work at the application level (well, some modern transparent proxies do, but that's a different matter), they work at the transport level.

HTTP is an application. HTTPS is an encrypted variant. TCP/IP is a reliable transport protocol and includes routing information.

interestingly enough, this exact same topic was covered is this forum in the last week or two, I wonder why it's come up twice this month?

mb
Wednesday, August 11, 2004

The routers know this by looking at the IP address in the packet.  The http server can decrypt the http headers to know what to do with it...

I tested this briefly and all the http data is encrypted.

Billy Boy
Wednesday, August 11, 2004

ah you are right.  my apologies.

[not the] URL Man
Wednesday, August 11, 2004

FWIW, this is why web servers can't use the Host: header to differentiate between multiple HTTPS servers with the same IP address. The connection is encrypted at a lower level, so you have to know which certificate is appropriate BEFORE you ever get a chance to see the Host: header.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, August 11, 2004

The "URL" isn't sent to the server. For an https URL, the domain name is converted to an IP address and a secure connection is made to that address. Then the rest of the URL (index.cfm and everything after the ?) are sent as part of the GET request over the secure connection.

Tom Mack
Wednesday, August 11, 2004

The hostname is (virtually always) sent to the server, via the Host: header in the HTTP request.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, August 11, 2004

If in doubt, RTFRFC.

http://www.faqs.org/rfcs/rfc2818.html
http://www.faqs.org/rfcs/rfc2246.html

No actual HTTP-related data is sent until after the encryption handshaking process. 

The big problem is that TLS deals with a connection to an IP address and therefore doesn't know which key to give you.  And since a key has a limited amount of flexibility with respect to what it's pointing to, you'll generally get key errors if you try.  Remember, TLS can be applied to any protocol, not just HTTP.  Virtual hosting happens on the HTTP level and which service on a given port is left up to the protocol in general.

However, if you manage to get a wildcarded key, you can have different virtual hosts on the same address.  So if I have a key for *.strongbaddia.com, I can have a different site for joel.strongbaddia.com and plonker.strongbaddia.com.

Thusly, your properly equipped enemy will know which machine you are connected to, but neither the rest of the URL nor the header values.

All of the answers are there in the specs.  The ability to read a spec and glean what pieces of knowlege you need out of it is quite a valuable skill.  Took me 2-3 minutes to produce an answer.

Flamebait Sr.
Wednesday, August 11, 2004

You didn't like the answers you got last week? http://discuss.fogcreek.com/joelonsoftware/default.asp?cmd=show&ixPost=171630&ixReplies=9

Step 1: learn how to send an HTTP request with a telnet client
Step 2: understand how this process is changed in the presense of SSL
Step 3: become enlightened

Brian
Wednesday, August 11, 2004

Install this and you can see what goes back a forth:

http://www.xk72.com/charles/

Matthew Lock
Thursday, August 12, 2004

*  Recent Topics

*  Fog Creek Home