What information is visible to a packet sniffer which intercepted a HTTPS packet?

Tag: http , https Author: guojinxiao521 Date: 2011-11-10

If I make a HTTPS request to

subdomain.example.com/api/login?mytoken=JLK90GFSSFGDS4GFRW0

along with uploading a cookie, can a packet sniffer know:

  • header information
  • subdomain I am requesting
  • URL parameters
  • cookie contents
  • whether it is GZIP compressed

In general, what information is encrypted and what is left plain for a HTTPS packet?

Best Answer

Everything apart from the hostname is encrypted - so in your example the domain name and subdomain are in clear text, everything else is encrypted.

See Does SSL also encrypt cookies? for more details.

[edited: initial version mistakenly stated that the entire URL was in cleartext. http://en.wikipedia.org/wiki/Transport_Layer_Security makes it quite clear that the server and client first negotiate their encryption, then the application-layer HTTP packets (with the full URL) is sent over this encrypted link.]

comments:

Part of the url is encrypted, '/api/login?mytoken=JLK90GFSSFGDS4GFRW0' is encrypted.
Indeed, you're right, I've updated my answer. Thanks.

Other Answer1

It depends on which type of http sniffer do you use.

For example Wireshark uses a special mode of your network card (by using wincap library) and usually cannot decode https traffic (but you can add your server certificate to wireshark and this will allow wireshark to decode https).

On the other hand, HTTP Debugger Pro uses man-in-the-middle technique and can decode all https traffic to/from your computer. But you need to manually install HTTP Debugger Pro on your computer under administrator's privileges.

Bellow screenshot of HTTP Debugger decoding HTTPS. As you can see, it provides all information about your request/response.

HTTPS Details