18

Can data included in a URL be considered secure if the connection is made over HTTPS? For example, if a user clicks a link in an email that points to https://mysite.com?mysecretstring=1234 would it be possible for an attacker to grab "mysecretstring" from the URL?

chmeee
  • 7,270
  • 3
  • 29
  • 43
James Cadd
  • 179
  • 1
  • 2
  • 10

5 Answers5

26

The entire HTTP request (and response) is encrypted, including the URL.

But yes, there is a way an attacker could grab the full URL: through the Referer header. If there is any external file (Javscript, CSS, etc.) which is not over HTTPS, the full URL could be sniffed in the Referer header. Same if the user click on a link in the page that leads to an HTTP (no SSL) page.

Also, DNS requests are not encrypted, so an attacker could know the user is going to mysite.com.

Julien
  • 1,028
  • 1
  • 12
  • 24
  • When you say "the full URL", does that include the parameters (e.g. mysecretstring=1234)? –  Nov 23 '10 at 02:12
  • On the Referer header, if parameters are in the URL it can be seen – chmeee Nov 22 '11 at 12:27
  • 1
    so, load no external images, css, js. use/store the secret string, and redirect internally to get rid of secret string. after that can use external urls. – Neil McGuigan Dec 13 '12 at 20:36
14

No, they can see the connection ie mysite.com but not the ?mysecretstring=1234 the https is server to server

Chris
  • 141
  • 1
  • 2
  • 6
    In fact they cannot even see which domain name you are connecting to but which IP address. Since SSL certificates only reasonably work on a 1:1 domain-name-to-IP-address relationship, this is most likely irrelevant. Also if the attacker can sniff your DNS traffic, this might be revealed. GET and POST parameters are as secure as the HTTPS traffic: If you are the client and the server certificate is valid an uncompromised, the data is secure against eavesdropping by third parties. – Paul Oct 01 '10 at 07:31
0

They would need to have the encryption key. Theoretically this is not possible but any good attack could. This is the whole purpose of SSL to encrypt all data sent to and from the server to prevent being able to sniff.

Chris
  • 1,269
  • 2
  • 17
  • 34
0

Keep your weblogs secure, or, don't even write them. If you get a remote exploit where the logs can be read, any URL data will be visible in the logs.

-1

Only if they are able to sniff the https auth through some kind of spoofing

Jimsmithkka
  • 570
  • 4
  • 13
  • Do you mean a man-in-the-middle attack? This is more than sniffing, the attacker need to impersonate the server. – Julien Oct 01 '10 at 18:33
  • well its MiM for the handshake, but after it is just sniffing, the specific tool is hamster and ferret that i saw demonstrated – Jimsmithkka Oct 06 '10 at 05:47