tags:

views:

170

answers:

4

Can URLs be sniffed even though a client communicates with a server over SSL? I'm asking because I'm doing remote login & redirect to a physically different server via URL, and wondered if securing the communication via SSL would prevent replay attacks and the like.

+6  A: 

The sniffer will know the IP (and probably hostname) of the server you're requesting from, and the timing/quantity of information transferred, but nothing else.

Yes, replay (and man in the middle) attacks are prevented by SSL if you don't trust a compromised root certificate.

wrang-wrang
However, you probably do trust a compromised root certificate, like, say, the one included with this handy tool...http://www.thoughtcrime.org/software/sslsniff/
Paul McMillan
+2  A: 

An attacker can observe both the hostname (by watching your DNS traffic) and the IP address you're connecting to. The username, password and path part of the URL should not be available, however.

Of course, the client themselves always has access to this information.

caf
+2  A: 

The network sniffer would need both the public and private key to decrypt the SSL traffic.

Taylor Leese
+1  A: 

SSL sets up an encrypted session between the two machines and then runs "ordinary" HTTP over that encrypted connection so they can see what physical machine you are connected to but beyond that can't see anything at all in your connection.

As others have said they can look at the DNS requests most likely to determine the hostname.

Also there are products out there which bypass this protection in a business environment by installing a new root certificate on the client machine and having a proxy server make the connection on your behalf, and then generating a "fake" certificate for the site generated using their root key to make the session to the browser so you appear to have a secure SSL connection to the server but in fact it's only to the proxy. You can look at the certificate chain for the connection to determine if this is happening but few people will bother.

So to answer your question - no the full URL can't be sniffed - but with access to the client machine it is possible to do it part way.,

John Burton