Perhaps I am misunderstanding the way in which HTTP over SSL works, but I was interested in whether the addresses visited by a browser via HTTPS are themselves encrypted? This is not only in terms of sniffing browsing patterns (though there are of course other ways to do this), but in particular, information sent using HTTP GET method (as this information is appended in the browser address bar).
Asked
Active
Viewed 767 times
2 Answers
2
Mostly - not the domain name
For https, the domain name part is sent unencrypted (since it may be needed to direct the request to different host / different https certificate), but the rest of the URL (e.g. the "/questions/141958/does-https-encrypt-browser-address-history" part of this question "Does HTTPS encrypt visited URL?") is encrypted in transit.
Naturally, https affects only the network part, and the url is still available in plaintext for your browser (including the address history) and the server.
-
I'm assuming subdomains would be unencrypted, but not the case with subfolders? example.domain.com vs domain.com/example – Stumbler Nov 06 '16 at 16:00
-
@Stumbler yes, exactly - the server name (example.domain.com) is sent unencrypted to determine which server to contact (there may be multiple hosts on a single IP, returning different data depending on that) but the rest of the address and parameters sent to that server e.g. "/example/" (which might imply folders in some implementations) is encrypted. http://security.stackexchange.com/a/34795/37973 is a good description. – Peteris Nov 06 '16 at 16:09
-
The url may be sent unencrypted to the network in some case: http://www.securityweek.com/hackers-can-intercept-https-urls-proxy-attacks – Tom Nov 07 '16 at 11:35
1
Partially.
HTTPS can't hide which server you're sending to (eg. that you just sent something to Stackoverflows CDN), but the specific page and GET-parameters are encrypted.
deviantfan
- 3,854
- 21
- 22