Hacker News new | past | comments | ask | show | jobs | submit login

[deleted]



This is incorrect. https encrypts everything.


Compression is done only on the body not on the headers. But HTTPS encryption is done in the whole connection.


Are you sure? I just did a quick test with Fiddler and didn't see the credentials there. I only see them when I enable HTTPS decryption.


RFC 2818 says the following:

   Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS
   precisely as you would use HTTP over TCP.
TLS is meant to be transparent to the higher level protocol - in other words, independent of HTTP. The headers should be encrypted also.

For a long time, I also believed that the URL would not be encrypted (e.g. GET /example/url.htm), but as it's running as a transparent connection then this is also encrypted. I had to check this to see if GET requests with session IDs would be vulnerable over the wire - I was quite relieved when I realised my assumptions were wrong! Also meant I had to read a few specs :-)


As an aside, everyone has blidnspots and continuing to downvote howardr does nothing but make you feel better about yourself. This bloke's total karma is down to '2' and I'm betting it's much higher than that minus this post.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: