Dean Weimer wrote:
> The host is still known from the request header, and is not encrypted in https, only the data in the body of the request and reply is encrypted, if the headers were encrypted a proxy would never be able to direct the request to the origin server.
>
> Here is a direct copy from a raw TCP data capture of a login to my home web server.
> CONNECT www.myhostinghome.net:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
> Proxy-Connection: keep-alive
> Host: www.myhostinghome.net
> HTTP/1.0 200 Connection established
> ...........II-....`.9..$........Q6z...j...D ..q...........
> ....@.8b.....7O"F.D.
> .......9.8.......5.........E.D.3.2.........A...../.........
> .....
> [...snip...]
>
> This is the reason you won't find any forms on a decent secure site using the GET method as the data submitted will still be visible to anyone in the middle.
>
Not quite correct. The host being contacted is sent in plain text. The
URI being requested is encrypted. A form using GET is not any less
secure than a form using POST. Notice we can't see what page you are
requesting from www.myhostinghome.net in the above example.
> Thanks,
> Dean Weimer
> Network Administrator
> Orscheln Management Co
Chris
Received on Thu Dec 18 2008 - 20:31:09 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 19 2008 - 12:00:02 MST