For example we submit a form on the following site:
https://example.com (SSL Encrypted)
Then the form is submitted as GET method, so it becomes like this:
https://example.com/form_action.php?user=ANYTHING
If user is using VPN Connection or if the ISP is tracking the user, can they see this "ANYTHING"?
I know posted forms are secured when using SSL, But can't they just see the FULL URL user is visiting and get the "ANYTHING" value from it?
Yes, any value in a GET statement or POST data (e.g. ?user=ANYTHING), is encrypted once the SSL/TLS sessions are negotiated.
During an TLS connection, the first thing that happens is a "Client Hello" messages that begins negotiating the encryption ciphers/hashing ciphers to establish a connection. On some browsers, the hostname is sent using the SNI protocol prior to establishing the session. Also, if using an explicit HTTP proxy (configured by browser settings, group policy) the plain hostname submitted via a CONNECT statement transmitted in plaintext. However, it's only the hostname that is sent in the most verbose scenario, never the page being requested or POST data.
After the session is negotiated, the traditional HTTP GET command is then issued. This command is sent over a TLS session, so the data is encrypted and not vulnerable to easy eavesdropping.
You can take a look here for a bit more detail.
When a connection is encrypted with SSL, the entire content of the connection is encrypted, including the GET values.
