Re: question regarding SSL

To: debian-user@lists.debian.org
Subject: Re: question regarding SSL
From: Camaleón <noelamac@gmail.com>
Date: Thu, 25 Nov 2010 11:40:14 +0000 (UTC)
Message-id: <[🔎] pan.2010.11.25.11.40.14@gmail.com>
References: <[🔎] AANLkTin++rKSeU8AYhWX+hrTxu+q8LtKF=K4xRKkGnsR@mail.gmail.com> <[🔎] pan.2010.11.25.11.01.25@gmail.com> <[🔎] AANLkTimZWn+VXOc73DNUNvE6Kq3_iLrQCKdHOtHJsumw@mail.gmail.com>

On Thu, 25 Nov 2010 12:07:16 +0100, Arthur Bela wrote:

> On 25 November 2010 12:01, Camaleón wrote:

>>> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
>>> THISSITE.COM/SOMELINK.html ?
>>
>> Well, I think yes, the URI could be displayed/retrieved. It is
>> registered in plain text in web server logs.

> I meant someone is sniffing the "connection" between my pc, and the
> server, not the server admin. :O

Mmmm, by logic (but I can be wrong, though), if Apache stores the 
information in plain text there are many chances it can be also fetched 
by man-in-the-middle attacks.
 
> So if someone is sniffing the connection it can only see that, i'm
> visiting https://THISSITE.COM, and it can't see, that I visit
> https://THISSITE.COM/SOMELINK.html

Look:

http://en.wikipedia.org/wiki/HTTP_Secure#Limitations

"(...) and in some cases the URI of the encrypted resource can be 
inferred by knowing only the intercepted request/response size..."

Greetings,

-- 
Camaleón

Reply to:

References:
- question regarding SSL
  - From: Arthur Bela <jozsi.avadkan@gmail.com>
- Re: question regarding SSL
  - From: Camaleón <noelamac@gmail.com>
- Re: question regarding SSL
  - From: Arthur Bela <jozsi.avadkan@gmail.com>

Prev by Date: Re: ssh and OpenGL
Next by Date: Re: question regarding SSL
Previous by thread: Re: question regarding SSL
Next by thread: Re: question regarding SSL
Index(es):
- Date
- Thread