Reputation: 10064
At what point do HTTPS/SSL encrypt the POST data
Were planning on implementing https / ssl for the first time on a project and in ancipiation i thought id dig a bit deeper into it.
I was looking at the data sent when loging into amazon.com using httpfox - the form sends a long POST string of which this is a subset (obviously email and password have been changed)
email=name%40example.co.uk&create=0&password=letmein
This seems to be sitting there in plain sight, if someone was running a packet sniffer would they be able to see this data, if not at which point does the encryption oc
Upvotes: 1
Views: 3121
Answers (1)
Reputation: 96151
The encryption between the browser and the server gets encrypted as a whole – not the POST data on its own, but the whole HTTP request.
What you are seeing in httpfox is only the client-side view of the data, before it is actually send. (Showing already encrypted HTTP request data would be of not much value for debugging; besides those kind of tools usually operate on a level so close to the browser front end, that encryption has not yet happened.)
The packet sniffer would only come into play when the whole request is already on its way from the client to the server, and there of course nothing is still “in plain”, so the attacker would only see the already encrypted data and therefor could not make any sense of it (unless he’s the NSA of course, as we all know since a few days).
Upvotes: 2
Related Questions
- Encrypting HTTP POST data
- When does SSL encrypt data from browser to server?
- Does HTTPS make POST data encrypted?
- Does the request get encrypted when posting to HTTPS from HTTP
- Is a POST from HTTP to HTTPS secure?
- HTTPS POST data is not encrypted
- Sanity Check: SSL+ POST vs. un-encrypted GET
- POST data encryption - Is HTTPS enough?
- how is https post works and how is php can get the https post variable
- Is info still encrypted if I use a <form action="https"> from a regular http page?