0

How are the GET parameters passed?

example

I Understand the HTTP Connection is started by browser as below

1) Connect with TCP port 80
2) after connection, pass the following over the connection
    GET /?parameter=secure_data
3) Receive the data content (Could be text, html, image etc)
4) Display the data

Is this the same kind of process followed by the browser for HTTPS?

1) Connect with TCP port 443
2) establish a secure connections
3) after secure connection, pass the following over the connection
    GET /?parameter=secure_data
4) Receive the data content (Could be text, html, image etc)
5) Display the data

If it is then the parameters are transferred securely over TLS.

I am not developing the webapp but my client is passing the parameters over GET request parameters and I have a doubt over how this is handled by TLS over HTTPS.

I don't care about security issue of logging the request URI in the Browser History or request URI logged by the server.

I am mainly interested in knowing if the parameters are passed by HTTPS over TLS or not.

Mck
  • 1
  • The process is the same, it's just the message is encrypted so I can't see your traffic. – Crisp Apples May 11 '20 at 18:56
  • If you wish to see proof of this, have a search for SSLKEYLOGFILE and Wireshark. Hope it helps. – HelpingHand May 11 '20 at 18:57
  • from what I've read the get/post vars are passed securely, but the URL itself is not. So destination can be read from a standard DNS server, but not the query values. – pcalkins May 11 '20 at 19:00
  • So GET /path is passed over SECURE connection and will not be accessible to anyone other than the browser or the intended server, right? i.e. MitM attack will not be possible. – Mck May 11 '20 at 19:08
  • A packet capture will tell you if your client's implementation passes GET over TLS or not .. – schroeder May 11 '20 at 19:11
  • As long as you trust everyone who *might* have access toe the server, you're good to go! If you're concerned about how leaky the IPC of the parameters are, POST has a better track record over some channels, most particularly CGI. – tjd May 11 '20 at 19:17

0 Answers0