Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Bennett Todd (bet_at_rahul.net)
Date: Fri Sep 20 2002 - 10:42:57 CDT
> Or let's ask another way: Is the URL of a HTTPS request visible
> outside of the tunnel, or do only the client and the server know
> the URL?
The URL is concealed within the encrypted SSL tunnel. First the
tunnel is built, then the HTTP request (including the URL) and
response are passed through that tunnel.
This is why name virtual hosting (having multiple DNS names for the
same IP address, with a server on that addr offering different
content depending on the name used) cannot coexist with SSL; the
hostname used by the client must match the CN attribute of the
server certificate offered by the server; but the server doesn't
know which hostname --- and hence which cert --- to offer until
after the SSL negotiation is complete and the HTTP query is
> And what about the Referer field in this respect? If a user follows a
> link from an encrypted page to an unencrypted page, does the client
> submit the Referer field with the URL of the encrypted page?
This will likely vary from browser to browser and from version to
version within a given browser; it'd be best to assume that Referrer
does deposit your URL, with magic embedded SIDs and all, in the
logfiles of subsequently-visited servers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----