1

Is it possible for a router or an operating system to get access to URLs I visit in my browser, if SSL-encryption is used between a browser and a webserver?

Oleg
  • 289
  • 3
  • 11
  • 1
    relevant potential duplicate: http://security.stackexchange.com/questions/2914/can-my-company-see-what-https-sites-i-went-to – schroeder Jul 09 '16 at 17:32
  • 1
    user-land non-priveldeged apps can somewhat see the sites by monitoring your profile folder mod dates for different cookies, cache, etc. – dandavis Jul 10 '16 at 03:06

1 Answers1

7

The full URL is protected by the end to end encryption of HTTPS, but the target IP and hostname (the full name of the host, i.e. FQDN, i.e. something like www.example.org) are not. Thus the router could get the name of the host you visit but not the full URL (i.e. not the path after the hostname):

 https://www.example.org/some/secret/page.html
         |-- visible --||---- protected -----|

An application on the same OS as the browser might be able to get the full URL if it has the same or even more access rights than the browser and could thus inject code into the browser process or read internal data from the browsers memory. By injecting into the browser it could even not only read the full URL but has access to all the other transferred data and can modify these. This is for example done by malware targeting online banking.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank for the explanation. However i wonder about situation when there are multiple sites on the same server. So the hostname of the server is for example "myserver.com" and the domain i use in url is "example.com". Would example.com be visible in this case? – Oleg Jul 09 '16 at 17:55
  • 1
    @Curious: the hostname from the URL is send by the client in plain during the SSL handshake when [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) is used. SNI is used at least in all current browsers. – Steffen Ullrich Jul 09 '16 at 18:00
  • Thanks @Steffen, i think i have confused with the terminology a little. Your wikipedia link helped me a lot. Thank you! +1 – Oleg Jul 09 '16 at 18:11