Are the arguments of a URL encrypted when you make an HTTPS connection?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Are the arguments of a URL encrypted when you make an HTTPS connection?

Andy Burnett
I had a brilliant idea today! Instead of bothering with authentication, I would use unguessable URLs (and/or arguments) for my application - yes I know it is hardly unique, but it might solve a problem for me.

Anyway, after recovering form the shock of my idea, I suddenly realised it would be completely useless if the URL is transmitted in plain text.  Does anyone know when the encryption in an SSL session actually kicks in?  And is there anything I can set on WAKom to ensure that the URL is protected?

Cheers
Andy

_______________________________________________
Beginners mailing list
[hidden email]
http://lists.squeakfoundation.org/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: Are the arguments of a URL encrypted when you make an HTTPS connection?

Lukas Renggli
> Anyway, after recovering form the shock of my idea, I suddenly realised it
> would be completely useless if the URL is transmitted in plain text.  Does
> anyone know when the encryption in an SSL session actually kicks in?  And is
> there anything I can set on WAKom to ensure that the URL is protected?

SSL kicks in before the URL in, see for example
<http://answers.google.com/answers/threadview/id/758002.html>.

WAKom does not come with SSL support, but it can be easily done using
Apache, Squid, ...

Cheers,
Lukas

--
Lukas Renggli
http://www.lukas-renggli.ch
_______________________________________________
Beginners mailing list
[hidden email]
http://lists.squeakfoundation.org/mailman/listinfo/beginners
Reply | Threaded
Open this post in threaded view
|

Re: Are the arguments of a URL encrypted when you make an HTTPS connection?

Kyle Hamilton
In reply to this post by Andy Burnett
TLS is negotiated on the channel before any data is sent on the
channel (RFC 2818).  Other protocols, most notably ESMTP, use a
STARTTLS mechanism to negotiate the initiation of the TLS encryption.

"Security through obscurity" isn't secure.  If nothing else, remember
that the client machine is outside of your domain, and you cannot be
certain in any way that the VM your application is running in hasn't
been compromised.

-Kyle H

On Sat, Mar 14, 2009 at 1:14 PM, Andy Burnett
<[hidden email]> wrote:

> I had a brilliant idea today! Instead of bothering with authentication, I
> would use unguessable URLs (and/or arguments) for my application - yes I
> know it is hardly unique, but it might solve a problem for me.
>
> Anyway, after recovering form the shock of my idea, I suddenly realised it
> would be completely useless if the URL is transmitted in plain text.  Does
> anyone know when the encryption in an SSL session actually kicks in?  And is
> there anything I can set on WAKom to ensure that the URL is protected?
>
> Cheers
> Andy
>
> _______________________________________________
> Beginners mailing list
> [hidden email]
> http://lists.squeakfoundation.org/mailman/listinfo/beginners
>
>
_______________________________________________
Beginners mailing list
[hidden email]
http://lists.squeakfoundation.org/mailman/listinfo/beginners