-1

Say for example I visit https://foo.com. Could someone that is sniffing the network determine that I am going there? At what level does the https encrypt the request?

I know that data is secured but I am wondering if an outside attacker could know that a user is going to https://foo.com.

Alexis
  • 109
  • 2

1 Answers1

1

Absolutely.

The one sniffing the network might see a DNS query (if the authoritative server lies within the target network). That is hint #1.

The sniffer also sees the certificate requested by you (the client). This is part of the TLS handshake. The certificate certifies (duh) that all data exchange is actually happening with foo.com. This relation is expressed through SNI (Server Name Indication).

So once this happens, all the data at HTTP level is encrypted.

Remember the OSI network stack. The Session layer is Layer 5, then comes the Application layer (HTTP). All data beyond Layer 5 is thus encrypted.

sandyp
  • 1,146
  • 1
  • 9
  • 17
  • thanks for the answer! One followup. So they will know the user is communicating with https: //foo.com. If the user goes to https ://foo.com/, will be revealed to a sniffer? – Alexis Nov 03 '15 at 00:41
  • The IP address would also be a pretty big hint. The IP header isn't encrypted, only the TCP data within it. As for your last question: no, but beware that the size of the big long secret may show, i.e. an attacker may be able to see that you go to something with a big long ... secret. – Maarten Bodewes Nov 03 '15 at 01:12
  • @Alexis In your example, is encrypted and is therefore not visible to a passive observer. – Austin Hartzheim Nov 03 '15 at 01:15