Is POST data encrypted over an SSL connection?
Yes, POST data should be encrypted. Everything in the HTTP request should be encrypted in an SSL conversation. Firebug gets its info after SSL data has been decrypted by the browser. If you want to ensure, use something like Fiddler or WebScarab as a proxy sitting in between although you might have to play games to get them to play nicely with SSL. Here's a page on how to decrypt HTTPS traffic using Fiddler.
Related videos on Youtube
T-D
Updated on September 17, 2022Comments
-
T-D over 1 year
I've set up my web server to use SSL (I'm using WAMP for my staging scenario before I move it on up to public servers). The purpose of the site at hand has succeeded and I am able to use the site from remote computers using the HTTPS protocol.
A concern that came up with one of my users (testers) was in regards to the POST data. In his test scenario, he is on-site at one of our potential clients, accessing the site behind their VERY picky corporate firewall (we have already worked out how this site applies to their AUP, and we are clean). He is running the site in FireFox using Firebug to monitor the POST and GET data. The question is here:
In his Firebug window, the POST and Response from the XMLHTTPRequest are coming back in plain text. Is that because he was the one who initiated the secure connection? Will the POST/Response data show up to the network admins or logs?
Please take note that the intent here is not to deceive admins or circumvent policies; this is an application intended for on-site people at various locations that need to transmit sensitive data. Usage will be coordinated with every network infrastructure we encounter.
-
Neil McGuigan over 11 yearseven the url and querystring are encrypted
-
Maziyar over 8 yearsAs a simple test and proper use of sniffing tools, use tshark/WireShark to filter based on http.request.uri and you see when you work with https there is nothing to display. On the other hand send the same request over http and you see everything.
-
-
Spence over 14 yearsIf you're doubting the encryption at all, throw Wireshark on the client and sniff the traffic.
-
T-D over 14 yearsI checked Fiddler and compared the POSTS and GETS between HTTPS and HTTP data and confirmed that the POSTS and GETS are secure. Thanks!
-
T-D over 14 years@Evan What should I be looking for on Wireshark?
-
Sunny over 14 years@Honus: You are looking for garbage :). If the data is not encrypted, you'll be able to see it in Wireshark. If it's encrypted - you will see the encrypted (non-readable) data.
-
squillman over 14 years@Honus: Wireshark is a packet analyzer so it can/will show you all packets that are coming across the wire. You have the ability to see all network traffic regardless of app level protocols. There are filters (including one for HTTP) that let you narrow things down to more easily see what you're looking for.
-
T-D over 14 yearsBrilliant! I've done this with Wireshark and everything looks great. Thanks agian.