Can HTTPS request be sniffed and resubmitted?

Question

If someone sniffs the network traffic, can he re-send the exact same encrypted request he sniffed (without tampering it) to the server? For example a request could activate some procedure on the server, so could he re-activate that procedure because he has the request content, even if it was on HTTPS?

Answer 1

This is known as a Replay Attack:

A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

SSL/TLS inherently protects your connection against replay attacks, so anything over HTTPS is protected.

However, if there's a proxy server (possibly transparent) en-route with an SSL certificate trusted by your browser (such as in a corporate environment where root certs signed by the organisation are installed on each computer), then this would be able to replay HTTPS traffic.

Answer 2

Well the answer depends on who may attack your system:

If the user using your web page or application is the attacker the clear answer is YES, the request data is accessible.

If an local system admin has to considered as potential attacker the answer is YES.

If you are talking about an external attacker which does only have access to the encrypted data packets (e.g. the internet access provider) the answer is NO.

You can always redirect HTTPS traffic through a decrypting proxy which records all request and response data. The client only has to accept/install/trust the certificate of the proxy.