tags:

views:

550

answers:

2
Q: 

Are the query string variables visible using a Response.Redirect between two Https pages?

I'm looking at a web application with a Response.Redirect between two Https pages. I would assume normally that the query string parameters aren't visible for https requests because of the secure connection. However, since the Response.Redirect sends back the 302 - Object Moved response in between the two pages along with query string variables, I'm worried that this message is not encrypted at all.

I have looked at the data with HttpAnalyzer but I believe it unecrypts Https traffic automatically. Do I have the wrong idea about how Https requests work in general? If anyone has any advice on how to proceed with this, I'd appreciate it.

A: 

What do you mean by "visible"? To an intruder?

The host you're connecting to is visible in an unencrypted form, but not the full URL itself unless there's a man-in-the-middle attack (which requires the user to trust the attacker's certificate).

Jon Skeet  2009-05-29 16:11:02
Yes, visible to an intruder who was just able to intercept the message in transit. If the intruder were listening but did not have access to the server's certificate and had not got the user to trust their own certificate in it's place. I wasn't sure if the Response.Redirect was switching back to HTTP to send the 302 response.
Sam W  2009-05-29 16:19:03
The response will sent over the existing HTTPS connection; the next request will need to connect to the appropriate host, but the URL itself is part of the payload, as it were.
Jon Skeet  2009-05-29 16:47:57
A: 

Although, query strings are not visible on the network with HTTPS, there are other concerns about where URLs containing query strings may be stored or transmitted:

http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

HttpWatchSupport  2009-05-29 16:49:00

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?