2002-09-20-09:08:33 Benjamin:
> Or let's ask another way: Is the URL of a HTTPS request visible
> outside of the tunnel, or do only the client and the server know
> the URL?

The URL is concealed within the encrypted SSL tunnel. First the
tunnel is built, then the HTTP request (including the URL) and
response are passed through that tunnel.

This is why name virtual hosting (having multiple DNS names for the
same IP address, with a server on that addr offering different
content depending on the name used) cannot coexist with SSL; the
hostname used by the client must match the CN attribute of the
server certificate offered by the server; but the server doesn't
know which hostname --- and hence which cert --- to offer until
after the SSL negotiation is complete and the HTTP query is
submitted.

> And what about the Referer field in this respect? If a user follows a
> link from an encrypted page to an unencrypted page, does the client
> submit the Referer field with the URL of the encrypted page?

This will likely vary from browser to browser and from version to
version within a given browser; it'd be best to assume that Referrer
does deposit your URL, with magic embedded SIDs and all, in the
logfiles of subsequently-visited servers.

-Bennett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9i0IAHZWg9mCTffwRAtBAAJ9cK/Ez2qLPvDNwDIDHMtbUfO7IMACgteBH
SuSYinuOkAK2RqqBRjHNpLE=
=y2pb
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]