Solved

Is the path of an url encrypted when using https?

Posted on 2002-07-17
5
156 Views
Last Modified: 2010-04-11
Let's say I connect to https://niceserver.com/howtofoolyourboss.html trough a proxy, using https. Will the proxy then only see the server  and port I connect to (niceserver.com:80) or will it also be able to pick up the document i requested from the server (howtofoolyourboss.html)?

I'm asuming that the proxy doesn't do any man-in-the-middle attack.
0
Comment
Question by:tunheim
5 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 7159796
If your browser is set to use the proxy, then the https://url will be listed in the proxy logs.  If you are using only the winsock proxy client and not the browser settings, then the logs record ip, source and destination port.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 7160473
depends on the proxy.
If you get the notification for accepting the certificate from the remote server, the proxy sees only IP and port.
If the notificatipn for the certificate is from the proxy, it does not forward the https connection, but do it itself. In this case the proxy can see the data too.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 7161086
> I'm asuming that the proxy doesn't do any man-in-the-middle attack.

true.  tunheim, you have it! plain proxy does plain stuff, just the address.

Now there are many other ways devices or services, add-ons can get in the middle and run interference. See also: Carnivore.
0
 

Author Comment

by:tunheim
ID: 7161704
I _do_ get the notification from the remote server. Didn't think of it as relevant for the question. Thanks for bringing it up, it sort of fills some gaps in my understanding of networks.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 7162051
so you just need to proofe that the certificate is not faked (man-in-the-middle), simple, isn't it ;-)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now