What Parts of an HTTPS Connection Can be Revealed?

In this article, we explore which parts of an HTTPS connection can be revealed to eavesdroppers, such as someone using the same WiFi connection or an ISP. We discuss the transmission of the hostname and the encryption of the rest of the URL, headers, and cookies.

The hostname is transmitted in the clear. This is because HTTPS is a tunnel established after a connection to the server. The hostname is available for an eavesdropper to snoop in a number of ways:

  • You will perform a DNS lookup and that is always in the clear;
  • There is a TCP connection to the IP address returned by the DNS for google.com;
  • In the case of SNI, the HTTPS request will include the hostname;
  • As part of the TLS handshake, the server will supply the certificate in plaintext which contains the hostname.

The rest of the URL, which includes any parameters, is not transmitted in the clear, so it is not subject to eavesdropping. All headers, including the cookies, are also transmitted encrypted. The attacker can, however, see the size of any communications and potentially draw conclusions from that.

Leave a Reply

Your email address will not be published. Required fields are marked *