While perusing the contents of pcap files I've noticed some URLs appear to be visible despite being HTTPS. These mainly occur inside payloads that contain cert URLs too, but I also see HTTPS URLs inside what appear to be HTTP payloads.
Can someone say conclusively whether HTTPS URLs are truly kept secret?
I'm concerned about this because I want to put some parameters in the URL and I don't want these to be easily uncovered.
With HTTPS the path and query string of the URL is encrypted, while the hostname is visible inside the SSL handshake as plain text if the client uses Server Name Indication (SNI). All modern clients use SNI because this is the only way to have different hosts with their own certificates behind the same IP address.
The rest of the URL (i.e. everything but the hostname) will only be used inside the encrypted connection. Thus in theory it is hidden from the attacker unless the encryption itself gets broken (compromising the private key, man-in-the-middle attacks etc). In practice an attacker might have indirect ways to get information about the remaining part of the URL:
But in most cases you are pretty safe with HTTPS, at least much safer than with plain HTTP.
Both HTTP headers (containing requested URL) and application data in HTTPS is encrypted.
You can see requested hostname, because browsers send it in Service Name Indication extension during handshake, so that server can choose matching SSL certificate.
Using wireshark, you will be able to find out the host name, as mentioned by some other answers, due to SNI. Also, you'll be able to see some parts of certificates. The https URLs you've seen were probably the URLs of CRLs or OCSPs.
If someone could get at your URLs by walking your site, and compare the size of the returned pages with the size of what's returned in your encrypted page, they could make assumptions about which page your program called. But, as you want to put some parameters into the URL and hide those, this isn't a big attack vector in your case. If your URL is https://my.server/api?user=scott&password=tiger&highscore=12345, and your api always returns pages between 1000 and 1010 bytes, seeing 1007 bytes returned won't help anyone determine user or password or how to enter a highscore.
HOWEVER
https is only secure if you prevent MITM attacks. Tools like fiddler, charles or mitmproxy redirect your traffic to themselves, present a faked certificate to the client, decrypt the traffic, log it, re-encrypt it, and send it to the original site.
If your client relies on the OS's truststore, then the attacker will be able to insert his own certificate into the truststore, and your client will not notice anything. The READMEs of the abovementioned tools have instructions how to do this.
So, if you go https to prevent decryption, you will need to check if the certificate returned by the server is correct before you actually send your URL. Check how certificate pinning works for your OS/programming language, and use the above tools to make sure your client will detect a fake certificate and not send the URL before you publish it.
It is possible to perform traffic analysis by crawling the website and comparing packet sizes, etc. Depending on how much dynamic content is present or images referenced from the URL it is possible to get a very accurate understanding of which URLs where visited.
The presentation SSL Traffic Analysis Attacks - Vincent Berg (YouTube) explains it and has some functional demonstrations.
It is possible if the attacker has access to the client, for an overview see: https://wiki.wireshark.org/SSL#Using_the_.28Pre.29-Master-Secret
For example on Java-Clients an agent like jSSLKeylog can be attached to intercept and log the supposed encrypted content/URL. If the PreMaster-Secret of an communication can be obtained through any means in the process, captured encrypted communication can be decoded afterwards.
