tags:

views:

390

answers:

7
Q: 

HTTPS Response body - Is it secured?

Would like to understand whether the HTTPS body part of the Response is encrypted. Also, in a HTTPS request whether the header are transmitted as plain text / encrypted?

Is there any tool with which I can observe the raw HTTPS traffic without decrypting it.

A: 

Anything sent over https is encrypted using SSL transport

Try WireShark or Fiddler as helpful tools for this.

Chris Ballance  2009-07-10 19:31:32
The HTTP header is encrypted too.
Gumbo  2009-07-10 19:38:02
Duly noted, thanks Gumbo.
Chris Ballance  2009-07-10 19:40:15
+6  A: 

HTTPS is HTTP over SSL. So the whole HTTP communication is encrypted.

Gumbo  2009-07-10 19:33:07
This doesn't matter for the posters question, but I feel compelled to point out that browsers will store the URL and subsequent query strings in it's history. So while communication is over SSL, any query string values might be saved by the browser. In otherwords, don't put sensitive information in a query string, even if you are communicating over SSL.
Matt  2009-07-10 19:44:46
I don’t know it for sure but I think the server does that in his access logs too.
Gumbo  2009-07-10 19:49:39
@Gumbo great point!
Matt  2009-07-10 19:55:22
I am more concerned with the proxy servers, they can log the urls and even the request response. So, for sure I know urls are not encrypted, what about the headers and response body?
Ramesh  2009-07-10 20:37:57
The whole HTTP communication is encrypted. And URLs are part of the HTTP. Thus they are encrypted too. Just the client’s and server’s IP addresses are not.
Gumbo  2009-07-10 20:48:34
Proxy servers cannot see HTTPS URLs, the request, or the response. All they see is a HTTP CONNECT request. You can see exactly what the proxy sees using Fiddler, without turning on the "Decrypt HTTPS traffic" option, which is an option not available to a remote proxy.
EricLaw -MSFT-  2009-07-11 15:05:14
A: 

When using HTTPS, the entire content of the request and reply are encrypted, including the headers and body. The HTTP protocol in plaintext happens on top of, TLS or SSL, so what's on the wire is encrypted.

Jared Oberhaus  2009-07-10 19:33:36
+1  A: 

YES https flow is encrypted. When an https connection is initialized, it uses a strong encryption algorithm to handshake and agree with other part on a less strong, but much faster encryption algorithm for the flow.

To observe network packets, you can use sniffers like http://www.ethereal.com/.

zim2001  2009-07-10 19:36:53
A: 

The entire HTTP session is encrypted including both the header and the body.

Any packet sniffer should be able to show you the raw traffic, but it'll just look like random bytes to someone without a deep understanding of SSL, and even then you won't get beyond seeing the key exchange as a third party.

Edward Kmett  2009-07-10 20:11:21
A: 

Any packet capture/sniffing tool can show you the raw HTTPS traffic. To view the actual contents (by decrypting it), use Fiddler.

Sriram Krishnan  2009-07-10 20:44:45
+1  A: 

As the other posts say - HTTPS is HTTP (plaintext) wrapped in SSL on top of the TCP/IP layer. Every part of the HTTP message is encrypted. So the stack looks like:

TCP/IP

SSL

HTTP

As far as encryption goes, there is no way to see any part of the HTTP message with SSL around it.

If you need to debug your traffic I suggest the following:

  • Use a network traffic watcher (like Ethereal) to watch the creation of connections. This will let you see the connection be initiated. It will show you the start of the SSL Handshake, details on failures, and when the session is set up, there will be chains of cipher text. The ciphertext is not very useful, but its presence lets you know data is going back and forth.
  • Deubg your http layer in the clear prior to setting up HTTPS. Every application or web server I've ever worked with has let me turn off HTTPS, and host the same set of URLs in the clear. Do this, and watch it with the same network tool.
  • If you get both sides talking with HTTP and everything breaks on HTTPS, it's time to look at either the SSL session establishment or anything in between the two points that may be interrupting the flow.
bethlakshmi  2009-07-10 21:29:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security