1

Lets say we have the following URL request in the address bar of the Browser: https://www.mydomain.com/herecomessomepathorauniqueidlike?=45345678654

My question is: Which part of this URL is protected by SSL, what part can be read by a man in the middle like an administrator in a company?

Thanks in advance.

philkunz
  • 383
  • 2
  • 4
  • 16
  • possible duplicate of [Are https URLs encrypted?](http://stackoverflow.com/questions/499591/are-https-urls-encrypted) – Dijkgraaf Oct 31 '13 at 23:52
  • There can be [SSL terminator](http://en.wikipedia.org/wiki/SSL_termination_proxy) on a server side. All traffic between the SSL terminator and the server application is unencrypted and administrators can read everything. – Vadim Nov 01 '13 at 00:02
  • @Den That is incorrect. Many if not most SSL-termination proxies use SSL all the way to the origin. It's necessary to maintain PCI and HIPAA compliance, for example. – Christian Ternus Nov 01 '13 at 00:05
  • @Den (unless you're talking about an SSL proxy run by the administrators of the same company that owns the origin server, in which case -- why are you worrying? They can just read everything on the server end as it comes out of the SSL channel anyway.) – Christian Ternus Nov 01 '13 at 00:11
  • @ChristianTernus Yes I mean a server side of connections (as I wrote). Philipp Kunz asked if an administrator in a company can read traffic (URLs). For example in a company ServerA stores very private data and ServerB terminates SSL, and only several employees are authorized to have an access to ServerA's data and traffic. In this case all administrators of ServerB and network hardware between these servers _also_ can read ServerA traffic. It could be a problem. – Vadim Nov 02 '13 at 15:43

1 Answers1

2

The administrator can likely tell the hostname of the site you're visiting but not the path. The hostname is transmitted in the initial ClientHello handshake if you're using TLS SNI, which approximately translates to "not on Windows XP or an OS of that vintage." Even without that, though, your administrator can

  • likely sniff your DNS requests
  • correlate those requests and their responses to the IPs you're contacting.

Everything else, including the path, is transmitted in the HTTP request once the encrypted link is established. In theory, there's no way for this to be man-in-the-middled; in practice, entities as diverse as SSL-stripping hackers and the NSA have demonstrated occasional capability to perform these attacks, but the likelihood of one happening inside a company network is relatively rare.

Christian Ternus
  • 8,283
  • 22
  • 39