Posts

Showing posts from October, 2012

HTTP over TLS/ SSL: What is Really Secured?

HTTP over TLS/ SSL performs encryption of transferred data. However, what is really encrypted and what isn’t? Part of the TLS/ SSL negotiation will not be secured. Everything else is securely transmitted. What is in the clear/ can be derived will be the destination hostname or IP address and the port (usually 443) URLs for GET/ POST/ HEAD request methods are secured GET URL parameters, e.g. ?data=12345678&id=123 POST URL All HTTP headers are secured. These include: Cookies Content-type/ content-length Cache control User-agent Accept (-encoding) HTTP payload is secured. This may be: POST parameter HTML/ XML data Does it therefore mean that the GET URL over HTTPS is secured? You decide for yourself…. As the GET URL method information is secured, any sniffer between the source and destination would not be able to “see” the URL parameters. However, the web browser would track the full GET URL (including the parameters) in the browsing history. As such, anyone havi...