HTTP over TLS/ SSL: What is Really Secured?

-

HTTP over TLS/ SSL performs encryption of transferred data. However, what is really encrypted and what isn’t?

Part of the TLS/ SSL negotiation will not be secured. Everything else is securely transmitted.

  • What is in the clear/ can be derived will be the destination hostname or IP address and the port (usually 443)
  • URLs for GET/ POST/ HEAD request methods are secured
    • GET URL parameters, e.g. ?data=12345678&id=123
    • POST URL
  • All HTTP headers are secured. These include:
    • Cookies
    • Content-type/ content-length
    • Cache control
    • User-agent
    • Accept (-encoding)
  • HTTP payload is secured. This may be:
    • POST parameter
    • HTML/ XML data

Does it therefore mean that the GET URL over HTTPS is secured? You decide for yourself….

  1. As the GET URL method information is secured, any sniffer between the source and destination would not be able to “see” the URL parameters.
  2. However, the web browser would track the full GET URL (including the parameters) in the browsing history. As such, anyone having access to the web browser might be able to view the URL.
  3. Similarly, the access logs in the web server would typically store the full GET URL

Comments

Post a Comment

Popular posts from this blog

Understanding ITIL Service Management the UML way…

-
Image
I originally had a great deal of difficult reconciling the differences amongst ITIL Change Management, Incident Management, and Problem Management. Having researched on the subjects and understanding them better now, I’ve tried to put the concepts together using a UML class diagram to capture my understanding and to keep it imprinted. Similarly, I wanted to differentiate the various categories of changes (Standard, Emergency, Normal) using an easy to understand & self-explanatory manner – a UML Activity Diagram!
Read more

Apache Web Server Troubleshooting

-
How to troubleshoot Apache Web Server? A few standard commands to know by hard: To confirm the modules that are or will be loaded in Apache: apachectl –M [-f <conf filename>] To check the virtual host load pattern: apachectl –S [-f <conf filename>] To test a httpd.conf file: apachectl –t [-f <conf filename>] To maintain the http server: apachectl start|stop|restart To start with a specified configuration file: apachectl –f <conf filename> Create a minimalist httpd.conf. Something like: Listen 80 ServerName myserver.com:80 ServerAdmin admin@myserver.com #ServerRoot " . " ServerRoot " /usr/local/apache2 " User nobody Group nobody #DocumentRoot " ..\wwwroot " DocumentRoot " /home/data/html " ErrorLog " logs/basic_apache.log " LogLevel debug #LoadModule log_config_module modules/mod_log_config.dll LoadModule log_config_module modules/mod_log_config.so <IfModule log_config_module> LogFormat " %h %l
Read more