security - With HTTPS, are the URL and the request headers protected as the request body is? -

-


security - With HTTPS, are the URL and the request headers protected as the request body is? -

just want verify, when making ssl connection (http post) say:

https://www.example.com/some/path?customer_key=123123123

if don't want know customer_key, approach not work if making https connection correct?

all info want secured has in request body right?

quoting https rfc:

when tls handshake has finished. client may initiate first http request. http info must sent tls "application data".

essentially, secure ssl/tls channel established first. http protocol used. protect http traffic ssl, including http headers (which contain url , cookies).

what may visible in handshake host name itself, since it's contained in server certificate visible in clear in handshake (and it's easy guess host name looking @ destination ip address anyway).

when using server name indication, requested host name should visible in server_name extension in clienthello message. otherwise, there may bit of ambiguity (for eavesdropper) guess host name certificate if certificate valid multiple host names (e.g. multiple subject alt. names or wildcards). in case eavesdropping dns request client might give attacker clue.

reading other people's answers , comments, mention issues referer (lost r in spec) , logs.

referrers shouldn't sent when going https http (but sent when going 1 https site https site). about history: you'll have trust whoever can potentially key legitimately (i.e. users) not spread around. if needed, have strategy alter 1 time in while. about logs: assuming after protection over network. url (including query) in logs indeed, if able attack machine logs, have more worry app keys.

one of remaining potential weak points how give link user. if it's embedded in web-page served on plain http, can read page able see it. should serve such page on https too. if send link e-mail instead, i'd bets off, since mail service servers encrypt connections between , users access e-mail business relationship without encryption.

edit:

in addition, if you're using client-certificate authentication, client certificate visible if negotiated during initial handshake. may leak name of user accessing website (often subject dns contain user name). client certificate not visible if sent during re-negotiated handshake.

security ssl https

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more