2

Currently, we plan to send a short, and sensitive to a server using GET method. We will append the information, in the GET request string.

We are going to use https.

I was wondering, is there any need for us to perform AES encryption on the data (No decryption needed at received server side. Hence, transferring encryption key over server is not a requirement), before we append it in GET request string?

Is an attacker able to sniff the GET request string, if https is being used?

jglouie
  • 12,523
  • 6
  • 48
  • 65
Cheok Yan Cheng
  • 47,586
  • 132
  • 466
  • 875
  • Everything is encrypted, including all the request and response headers. So, no, the local part of the URL isn't leaked (except by being displayed in the address bar.) Cookies are also safe. – r3mainer Feb 07 '14 at 02:42

1 Answers1

5

No, the attacker won't see the GET request string if HTTPS is used.

The TLS/SSL layer gets setup before any of the HTTP traffic is sent across.

If you allow HTTP connections that then immediately forward to HTTPS connections, the GET request will be available in the clear. If you keep HTTPS the entire time, it won't.

That said, there are other reasons not to do this, such as the sensitive data being potentially available in the Web Server access logs.

Here are some similar Q/A threads that will give a good background on the topic:

Community
  • 1
  • 1
jglouie
  • 12,523
  • 6
  • 48
  • 65