14

What parties have access to the full requested URL of a website accessed via the HTTPS protocol?

Here are some possibilities I can think of, and there could be more:

  1. local device accessing the website
  2. router
  3. modem
  4. local network provider (wired or wireless)
  5. ISP
  6. each hop along the internet to the destination
  7. big brother
  8. destination ISP
  9. destination local network provider (typically wired, but can be wireless)
  10. destination modem
  11. destination router
  12. destination host

Note that this question is specifically about the full requested URL, which would include the specific page being accessed as well as all parameters being passed via the URL.

Also, are there any steps along the way that would not have access to the entire HTTPS request header?

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50

1 Answers1

33

Only the TLS endpoints1 can read the the full URL because HTTPS provides end-to-end encryption.

HTTPS wraps the full HTTP protocol, including the request line, request/response body and all the headers. The request URL is just one part of HTTP that gets encrypted together with all the other components. If any party was able to read the URL, they would naturally also have access the full HTTP traffic.

Just to be clear, there are still a lot of ways the URL might be inadvertently disclosed:

  • When moving away from a site by clicking a link, your browser will by default send a Referer header containing the previous URL - which is therefore disclosed to the site you're browsing to.

  • Browser plugins might send your visited URLs somewhere for analysis or to sell them.

  • Security products or corporate firewalls that do "legitimate" HTTPS interception (implying you actively installed and trusted their root certificate) could read your HTTP traffic and thereby learn the URL.

  • The host of the target site (but not the full URL) would routinely be disclosed to a potential eavesdropper due to HTTPS SNI and the client's DNS query.

But assuming a correct setup without any side channel leaks, the request URL just goes through the TLS tunnel like everything else that's transmitted.

1In your example, these are most likely the local device (1.) and the destination host (12.). As @Bob points out, the TLS connection could also end at a load balancer or some other form of proxy.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 2
    HTTPS Referer is only sent in certain cases: https://serverfault.com/questions/520244/referer-is-passed-from-https-to-http-in-some-cases-how – Neil McGuigan May 03 '17 at 21:59
  • 1
    @NeilMcGuigan That's why I said "might". – Arminius May 03 '17 at 22:02
  • 9
    More technically, it's the TLS termination point where the full URL becomes visible. This is *often* the destination host, but not always (consider: load balancers, CDNs like CloudFlare, etc.). – Bob May 04 '17 at 03:25
  • @Bob I made that a little clearer. – Arminius May 04 '17 at 04:16