-1

I want to get an information from one website into a php script on another website via https. I read at www.php.net on the page of the fopen() function that this function supports HTTPS protocol.

But is it really secure SSL transmission? Is GET variable "private" value is visible on the network or not? Do I get $contents value securely?

$filename = 'https://www.somesite.com/page.php?private=45456762154';

$handle = fopen($filename , 'r');

$contents = stream_get_contents($handle);

fclose($handle);
Haim Evgi
  • 123,187
  • 45
  • 217
  • 223
Oleksiy Muzalyev
  • 948
  • 11
  • 7

2 Answers2

0

You can check by using a tool such as Wireshark. This tool will intercept the network traffic and tell you which protocol it is travelling as, and allow you to inspect the packet contents. If it's unintelligible, it's SSL :-)

As an aside, if you're using a browser (which you're not), a similar tool is Fiddler to inspect the HTTP traffic your browser is seeing.

Gnat
  • 2,861
  • 1
  • 21
  • 30
  • I tried Wireshark already, but it had so much dynamic information on the screen that I got confused and decided to ask on Stackoverflow instead. I've read somewhere, in some comment on a forum, that during SSL-https transmission GET variable is not visible, the same as POST, that only the domain name is visible, but variables are not. But I cannot find a specific reliable source of this information, let alone for the fopen() PHP function with SSL. – Oleksiy Muzalyev Feb 26 '11 at 07:03
  • From my experience, only the domain name of the request is visible on the network, and everything else is encrypted. fopen() should act the same as a request through a browser (because it's all the same protocol, the traffic on the wire should be the same), so everything apart from the domain should be encrypted. So you should be fine, but if you really wanted to check it, then Wireshark would let you (although it's not that friendly, I agree). – Gnat Feb 26 '11 at 11:27
0

check out this answer, https URL with token parameter : how secure is it?

In short, it is bad idea to have secure params as GET variables because the URLs get logged at servers and gets passed around in Referer headers.

Community
  • 1
  • 1
Mridul Kashatria
  • 4,157
  • 2
  • 18
  • 15