1

I have a question about HTTPS, which I need help understanding.

So if I type: https://www.facebook.com/FOOBAR and as the connection is encrypted, will someone in the middle (say my ISP or someone who is trying to MITM attack) find out that I requested the FOOBAR resource or is everything encrypted?

TLDR; when making a HTTPS request, what will my ISP see? Just facebook.com or facebook.com/FOOBAR?

2 Answers2

1

Your ISP will not see the /FOOBAR. This is because you will request facebook.com or www.facebook.com, which is a feature of DNS. This part is not encrypted and only serves recovering the IP of the webserver for the given domain name. When your browser requests this domain name it will not include /FOOBAR as this is not part of the fully qualified domain name.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • When the connection to the server is established as well, the desired hostname might be sent in the clear before SSL/TLS is set up (this allows a single HTTPS server to handle different domains with different certificates). – Kitsune Apr 14 '13 at 19:11
0

To complete what @Lucas said, when you connect to https://www.facebook.com/, the name www.facebook.com will be made visible to your ISP in several ways:

  • Your machine will first ask for DNS resolution of www.facebook.com; the request will usually be sent to your ISP's DNS servers, and would in any case travel unprotected from its eyes.
  • The ClientHello message that your browser sends to initiate the SSL/TLS handshake will contain the name www.facebook.com in plain letters (that's the Server Name Indication extension, implemented by all recent OS and browsers).
  • During the handshake, the server will send its certificate, still as cleartext, and the certificate contains the server's name, or close enough (in the specific case of www.facebook.com, it contains *.facebook.com). This is expected, since the client (your browser) mandates it that way, in application of RFC 2818.

All the SSL handshake is made first, and then, only then, does HTTP itself begins. Thus, the HTTP request, which contains the target path ("/FOOBAR") will be protected by the encryption provided by the SSL tunnel. Note that encryption protects the data but not the length: your ISP could probably work out that your target path consists of seven characters (it would require observing a few other requests from your browser, and some "educated guessing", because the whole HTTP request is encrypted, so the ISP would have to estimate the total length of the other HTTP headers).

Tom Leek
  • 170,038
  • 29
  • 342
  • 480