Dean Weimer wrote:
The host is still known from the request header, and is not encrypted in https, only the data in the body of the request and reply is encrypted, if the headers were encrypted a proxy would never be able to direct the request to the origin server.
Here is a direct copy from a raw TCP data capture of a login to my home web server.
CONNECT www.myhostinghome.net:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Proxy-Connection: keep-alive
Host: www.myhostinghome.net
HTTP/1.0 200 Connection established
...........II-....`.9..$........Q6z...j...D ..q...........
....@.8b.....7O"F.D.
.......9.8.......5.........E.D.3.2.........A...../.........
.....
[...snip...]
This is the reason you won't find any forms on a decent secure site using the GET method as the data submitted will still be visible to anyone in the middle.
Not quite correct. The host being contacted is sent in plain text. The
URI being requested is encrypted. A form using GET is not any less
secure than a form using POST. Notice we can't see what page you are
requesting from www.myhostinghome.net in the above example.
Thanks,
Dean Weimer
Network Administrator
Orscheln Management Co
Chris
