02 October 2012

HTTP over TLS/ SSL: What is Really Secured?

HTTP over TLS/ SSL performs encryption of transferred data. However, what is really encrypted and what isn’t?

Part of the TLS/ SSL negotiation will not be secured. Everything else is securely transmitted.

  • What is in the clear/ can be derived will be the destination hostname or IP address and the port (usually 443)
  • URLs for GET/ POST/ HEAD request methods are secured
    • GET URL parameters, e.g. ?data=12345678&id=123
    • POST URL
  • All HTTP headers are secured. These include:
    • Cookies
    • Content-type/ content-length
    • Cache control
    • User-agent
    • Accept (-encoding)
  • HTTP payload is secured. This may be:
    • POST parameter
    • HTML/ XML data

Does it therefore mean that the GET URL over HTTPS is secured? You decide for yourself….

  1. As the GET URL method information is secured, any sniffer between the source and destination would not be able to “see” the URL parameters.
  2. However, the web browser would track the full GET URL (including the parameters) in the browsing history. As such, anyone having access to the web browser might be able to view the URL.
  3. Similarly, the access logs in the web server would typically store the full GET URL

No comments: