0

I am wondering if the "/todo1" part of the below URL

curl https://someserver:5000/todo1 -d "data=Remember the milk" -X PUT

Gets encrypted over TLS/HTTPS, or is the full URL that you're sending your request to visible to a middle man?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Lost Crotchet
  • 121
  • 1
  • 1
  • 4
  • 1
    The path is encrypted. I'm pretty sure there are several similar questions on this site already. – user Jan 31 '20 at 20:52
  • Does this answer your question? [Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?](https://security.stackexchange.com/questions/4388/are-urls-viewed-during-https-transactions-to-one-or-more-websites-from-a-single) (There is a slew of more tightly-related questions to yours, but they are all closed, linked to this duplicate.) – msanford Jan 31 '20 at 20:53
  • Also, the question title asks about "HTTP PUT data" which you pass with `-d` in your example, but you ask about the URI fragment `/todo1` in the question? – msanford Jan 31 '20 at 20:55
  • Aww, you closed it too fast! I went and ran this command through burp and wireshark for the screenshots. Oh well. – Mike Ounsworth Jan 31 '20 at 20:59

1 Answers1

0

Your curl command.first triggers a DNS request to resolve someserver. So even if the whole will get encrypted man can still get this information.

Then a TLS tunnel is created to this server to the port you specified (5000 in your exemple). This would trigger certificate exchange and keys exchange to encrypt the HTTP request itself.

The whole HTTP protocol being encrypted in the TLS tunnel, none of their methods would be available for a man-in-the-middle.

You can verify it by using tcpdump or wireshark while running your command.

philippe
  • 193
  • 8