I've googled around and it seems like SSL encrypts URLs. (Correct?) As I understand it, if I go to a site like http://security.stackexchange.com
then a DNS server looks at the URL, says hey, he wants to go to IP xxx.xx.xxx.xxxx
and then the packets are routed to that IP address across the Internet. But if the URL in an HTTPS message is encrypted then how can the packets be routed? If a DNS gets a request for an encrypted URL, how do they know where to send the packets?
Asked
Active
Viewed 1.5k times
19
bernie2436
- 1,447
- 10
- 22
- 29
-
1"I've googled around and it seems like SSL encrypts URLs. (Correct?)" Yes, that's correct. For more information see [Is HTTPS URL in plain text at first connection?](https://security.stackexchange.com/questions/117536/is-https-url-in-plain-text-at-first-connection/117544#answer-117544). – rugk Mar 17 '16 at 00:43
1 Answers
34
The DNS server does not look at the URL; the DNS server does not know what a URL could be.
The client browser extracts the intended server name from the URL. In a URL like https://www.example.com/foobar.html
, the server name is the part after the https://
but before the next /
; i.e., www.example.com
in this example. The server name is what is sent to the DNS.
The DNS responds with the IP address for that server. The client then talks with that server, they do their SSL magic, and once the tunnel has been established (and only then), the client sends the URL (specifically, the part after the server name, in my example /foobar.html
) to the server. And that one goes in the tunnel, hence encrypted.
This answer is a walk through the SSL protocol.