Re: https - is the URL encrypted?
From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: Sat, 10 May 2003 22:46:42 GMT
In article <jUWua.email@example.com>, Barry Margolin
>In article <firstname.lastname@example.org>,
>J. VerSchave <email@example.com> wrote:
>>I am curious if I am using https...
>>is the URL I type-in encypted or does it go across the net as plain
>>For instance, If I type in https://www.myurl.com/?username=bob
>>will my ISP be able to see the URL and that my username=bob or is this
>>all already encrypted inside of ssl?
>The entire session with the remote server is encrypted. Since the URL is
>sent using the "GET" command in the HTTP session, it's encrypted.
One important part is available unencrypted, though, and that is the DNS
name of the server being accessed. This might be important, or it might
not, depending on the situation. For instance, it may be very interesting
to your employers to note that immediately prior to establishing an https
session with a remote host, you made a DNS lookup to www.playboy.com - and
the https session was made to the numerical address returned from that
When analysing the risk of a behaviour, you have to examine what sort of
attack you are trying to prevent. Similar stories concern pizza deliveries
to war rooms prior to invasions, etc. Even though everything else is kept
secret and hush-hush, the mere presence of a connection may be something
you'd like to hide.
[Please don't email posters, if a Usenet response is appropriate.]
-- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | firstname.lastname@example.org. Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.