Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Ssl

  • 17-07-2007 3:18pm
    #1
    JohnK
    Registered Users, Registered Users 2 Posts: 4,780 ✭✭✭


    Hi all, just got a quick question about SSL encryption. When you browse to a secure URL, what can your network admin, ISP or any other machine along the way see exactly? Obviously they need to know the destination of the data but can they see a full URL for example? So lets say I logged into my bank account with BOI will they just know that I’m doing something on the domain https://www.365online.com or would they be able to see that I’m looking at the page https://www.365online.com/Services/ApplyForALoan.htm? Or would they even see that much as in would they only know the connection is to IP 123.123.123.123 and not what website you're on?


Comments

  • #2
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Do you go through a work proxy/filter? If so the URL every page you request can be seen (in general)


  • #3
    JohnK
    Registered Users, Registered Users 2 Posts: 4,780 ✭✭✭JohnK


    Thanks for the response WizZard. I'm really talking about a more general situation than just a work environment though.

    My rudimentary understanding was that the encrypted communication was from the browser on my desktop to the server at the far end and that nothing in-between could read any data that was sent between the two. I’d imagine that’s fine for form posted data but what about the likes of query strings? They form part of the URL so would they be readable and if so doesn’t that defeat the purpose of encrypting the data?

    There are also sites that use virtual documents so each URL would look different but its always being handled by the same page. For example you might have some URLs that look like: but in reality they are really the same as In this case the query string is really part of the root URL but if its readable by anyone in-between then its not really as secure as you might think.

    I suppose I'm really just trying to figure out exactly what can and cant be read by a 3rd party when you're using an encrypted connection regardless if that 3rd party is your network or ISP admin or just someone snooping on your wireless network (assuming the wireless has no encryption of its own).

    thanks.


  • #4
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Hmm, well you could easily find out by setting up a network tap or sniffing the traffic (check out WireShark :))
    AFAIK the URL is sent in plaintext (else the server cannot understand it, and just the page data is encrypted.


  • #5
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    The entire network conversation should be encrypted, which would include the querystring, since that breaks down to connecting to the host and delivering a http get for the required resource over that connection. So no, the query string shouldn't be visible.


  • #6
    WizZard
    Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Wouldn't https://www.example.com/1111.aspx be visible in the above case, which redirects to https://www.example.com/product.aspx?prodID=1111 (of which only the https://www.example.com/product.aspx would be visible)

    This has piqued my interest now (must check it out later in the week) :p


  • Advertisement
  • #7
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Assuming you mean visible to a packet sniffer, then I don't see why it would be. You're splitting up the path of the script and the variables, but that doesn't get done on the network level, that's done at the server. I think you may be getting this idea from reading proxy or webserver logs and seeing what they log but that's not really what's being asked in the first post.


  • #8
    crashedmind
    Closed Accounts Posts: 59 ✭✭crashedmind


    After the initial DNS lookup for www.example.com when you connect everything else should be encrypted i.e. browsing to https://www.example.com/1111.aspx will just show an ssl connection to the associated IP. Ditto with https://www.example.com/product.aspx?prodID=1111.

    There are of course ways to hide the initial DNS lookup depending on what you want and what resources you have available.

    Referring to the original example, note that when you click on the loans tab on https://www.365online.com you're back to non-ssl browsing i.e. directed to http://www.bankofireland.ie/html/gws/personal/get_loan/ without warning.
    The problem here is that you are relying on the server side to determine what pages are encrypted with ssl and what ones aren't...


  • #9
    JohnK
    Registered Users, Registered Users 2 Posts: 4,780 ✭✭✭JohnK


    Thanks for the replies everyone :)
    SSL is an area I've completely neglected in the past, I’ve always just assumed it worked and never looked into exactly what it is that it does so its good to finally find out a bit about it.


Advertisement