POST data encryption - Is HTTPS enough?

Question

Consider a scenario, where user authentication (username and password) is entered by the user in the page's form element, which is then submitted. The POST data is sent via HTTPS to a new page (where the php code will check for the credentials). Now if a hacker sits in the network, and say has access to all the traffic, is the Application layer security (HTTPS) enough in this case ? I mean, would there be adequate URL encryption or is there a need to have Transport Layer security ?

Answer 1

HTTPS is sufficient "if" the client is secure. Otherwise someone can install a custom certificate and play man-in-the-middle.

As a web developer not much can be done other than disallowing HTTP requests. This can be done via mod_rewrite in Apache.

Answer 2

Is adequate, because if it have access to all your traffic, doesn't matter what encryption protocol do you use, he can use man in the middle for both encryption protocols.

Answer 3

Yes. In an HTTPS only the handshake is done unencrypted, but even the HTTP GET/POST query's are done encrypted.

It is however impossible to hide to what server you are connecting, since he can see your packets he can see the IP address to where your packets go. If you want to hide this too you can use a proxy (though the hacker would know that you are sending to a proxy, but not where your packets go afterwards).

Answer 4

Yes, everything (including the URL) is going through the encrypted channel. The only thing that the villain would find out is the IP address of the server you are connecting to, and that you are using HTTPS.

Well, if he was monitoring your DNS requests as well, he might also know the domain name of the IP address. But just that, the path, query parameters, and everything else is encrypted.