Re: https - is the URL encrypted?

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 05/11/03


Date: Sat, 10 May 2003 22:46:42 GMT

In article <jUWua.22$fj7.2207@paloalto-snr1.gtei.net>, Barry Margolin
<barry.margolin@level3.com> wrote:
>In article <c5b7bb8c.0305091525.7864ed74@posting.google.com>,
>J. VerSchave <carlisle411@yahoo.com> wrote:
>>I am curious if I am using https...
>>
>>is the URL I type-in encypted or does it go across the net as plain
>>text.
>>For instance, If I type in https://www.myurl.com/?username=bob
>>will my ISP be able to see the URL and that my username=bob or is this
>>all already encrypted inside of ssl?
>
>The entire session with the remote server is encrypted. Since the URL is
>sent using the "GET" command in the HTTP session, it's encrypted.

One important part is available unencrypted, though, and that is the DNS
name of the server being accessed. This might be important, or it might
not, depending on the situation. For instance, it may be very interesting
to your employers to note that immediately prior to establishing an https
session with a remote host, you made a DNS lookup to www.playboy.com - and
the https session was made to the numerical address returned from that
lookup.

When analysing the risk of a behaviour, you have to examine what sort of
attack you are trying to prevent. Similar stories concern pizza deliveries
to war rooms prior to invasions, etc. Even though everything else is kept
secret and hush-hush, the mere presence of a connection may be something
you'd like to hide.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.


Relevant Pages

  • Aruba Advisory ID: AID-020810 TLS Protocol Session Renegotiation Security Vulnerability
    ... TLS Protocol Session Renegotiation Security Vulnerability ... HTTPS WebUI administration interface. ... If a client browser is ... Aruba Networks recommends that all customers apply the appropriate ...
    (Bugtraq)
  • Re: Server 2008: Shared or concurrent remote desktop access
    ... Full Control with user's permission ... Full Control without user's permission ... View Session without user's permission. ... Is there any way at all with Windows Server 2008's remote desktop (or other ...
    (microsoft.public.windows.server.general)
  • Re: Great SWT Program
    ... the session running if the screen client loses its connection or shuts ... Given that I do a lot of remote work over the internet at large, ... but consumes a large amount of bandwidth when updating ...
    (comp.lang.java.programmer)
  • RE: Spying, admin to user login?, Is it possible?
    ... shadow session could not be created directly on Windows XP computer. ... you could active only one user session at one time ... you need to remote desktop to a Windows 2003 ... Microsoft also publishes a KB to describe this work around in detail. ...
    (microsoft.public.windows.server.sbs)
  • RE: Printer share name changes HELP!
    ... occurs after the session has disconnected and upon reconnect it then connects ... you have two remote PCs connecting to Windows 2000 Server ... In a Microsoft Windows 2000-based Terminal Services session, ...
    (microsoft.public.windows.terminal_services)