Asked 31/1, 2009 at 21:15 Answered 5/4, 2020 at 13:37

1310

Are all URLs encrypted when using TLS/SSL (HTTPS) encryption? I would like to know because I want all URL data to be hidden when using TLS/SSL (HTTPS).

If TLS/SSL gives you total URL encryption then I don't have to worry about hiding confidential information from URLs.

Nebraska answered 31/1, 2009 at 21:15 Comment(11)

It's probably a bad idea to put confidential data in the URL anyway. It will be displayed in the browser's address bad too, remember? People don't like it if their password is visible to anyone who happens to glance at the screen. Why do you think you need to put confidential data in the URL? – Brigidbrigida 31/1, 2009 at 22:3

URLs are also stored in browser history and server logs - if I wanted to have my name and password stored somewhere, it would not be in these two places. – Bourse 30/6, 2010 at 15:33

For example, suppose I visit https://somewhere_i_trust/ways_to_protest_against_the_government/. Then the URL contains confidential data, namely the suggestion that I am considering protesting against my government. – Loganloganberry 26/9, 2011 at 8:42

I was asking myself this question when making an HTTP request from a native (not browser based) App. I'm guessing this may interest mobile App developers. In this case, the comments above (while true) are irrelevant (no url visible, no browsing history), making the answer, to my understanding a simple: "Yes, it's encrypted". – Deist 18/6, 2012 at 18:11

@Deist I also came across this question while considering the case of a mobile app which made a GET request with potentially confidential information in the querystring to an https:// address. – Freudberg 15/12, 2012 at 0:4

For those who think once you are HTTPS no one knows where you're going, read this first: The hostname of the server (e.g. example.com) will still be leaked due to SNI. This has absolutely nothing to do with DNS and the leak will occur even if you don't use DNS or use encrypted DNS. – Rivy 9/11, 2015 at 21:38

great article and help !! I have just one thing to add and seek answer. once the TLS session is established, IS the actual protocol-scheme exposed to the man-in-the-middle. For eg., if my application-level protocol is https or ftps, is this scheme i.e., http or ftp available to the main-in-the-middle. As somebody mentioned in this chain... "With TLS, the first part of the URL (example.com) is still visible as it builds the connection. The second part (/herearemygetparameters/1/2/3/4) is protected by TLS" I wanted a little more clarify about the scheme. Thanks. – Rhinencephalon 12/6, 2017 at 16:0

Possible duplicate of Are HTTPS headers encrypted? – Marra 5/10, 2017 at 0:1

@Brigidbrigida But auth code in OAuth2 is sent in the URL, as HTTP does not support redirection across domains with headers or cookies. oauth.com/oauth2-servers/access-tokens/… – Longheaded 2/8, 2018 at 8:9

@Longheaded by "auth code" i presume you are referring to "access token"? you are correct, tokens can be stolen/hijacked. this is mitigated by pairing short TTL access tokens with long TTL refresh tokens. – Oligarchy 24/3, 2021 at 4:4

@Longheaded yes, the auth code is susceptible to this attack, but the attacker would also need the client secret along with the auth code, to exchange it for an access token – Crowson 3/4, 2021 at 19:56

1140

Yes, the SSL connection is between the TCP layer and the HTTP layer. The client and server first establish a secure encrypted TCP connection (via the SSL/TLS protocol) and then the client will send the HTTP request (GET, POST, DELETE...) over that encrypted TCP connection.

Note however (as also noted in the comments) that the domain name part of the URL is sent in clear text during the first part of the TLS negotiation. So, the domain name of the server can be sniffed. But not the rest of the URL.

Fecal answered 31/1, 2009 at 21:17 Comment(13)

It is still worth noting the thing mentioned by @Jalf in the comment on the question itself. URL data will also be saved in the browser's history, which may be insecure long-term. – Biafra 12/7, 2009 at 1:37

Not just GET or POST. Can also be DELETE, PUT, HEAD, or TRACE. – Bakker 2/3, 2011 at 22:13

I would like to add to keep in mind how Amazon does this. They use a public and a secret key pair with an expiration date on the request. You must sign your JSON request using Sha1 and your private key. You then send your public key across the line. Amazon then looks up your secret key internally by using your public key, then signs the JSON. It must match or the request is rejected. This allows you to send URLs as temporary requests. Something to consider to emulate when rolling your own approach. – Inhibition 18/1, 2013 at 22:5

Yes it could be a security issue for a browser's history. But in my case I'm not using browser (also the original post did not mention a browser). Using a custom https call behind the scenes in a native app. It's a simple solution to making sure your app's sever connection is secure. – Borrego 28/5, 2013 at 23:12

Note however that the DNS resolve of the URL is probably not encrypted. So someone sniffing your traffic could still probably see the domain you're trying to access. – Furrow 19/6, 2013 at 7:35

@Jason Sebring that's a strange way to do it. Why don't they use their own private key to sign the JSON? – Morbihan 8/10, 2013 at 15:40

@bukko it may be strange but its a standard and I see this across the board on scenarios fitting API consumption. – Inhibition 8/10, 2013 at 20:35

@bukko: I think Jason is talking about this kind of thing: docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html, although there's nothing in that specific protocol about JSON. If so then when Amazon "signs the JSON [request] using your secret key", they're confirming the HMAC. It's not a public/private key pair, it's a shared secret with Amazon and a non-secret user identifier. – Loganloganberry 15/3, 2014 at 11:28

SNI breaks the 'host' part of SSL encryption of URLs. You can test this yourself with wireshark. There is a selector for SNI, or you can just review your SSL packets when you connect to remote host. – Flaxen 27/8, 2014 at 6:41

@Furrow DNS over HTTPS (DoH) fixes that. But it is still possible to found out which domain the user is connected to by the IP-domain matches even with DoH. – Thankless 8/5, 2019 at 16:9

This Answer is misleading. The URL is encrypted does not mean all the details are hidden. The domain name will still be visible – Livengood 23/12, 2019 at 18:41

If I'm using an app on my phone and sending a secure packet using HTTPS, then shouldn't I make it known to my ISP what URL this encrypted message is going to? I assume this un-encrypted URL is what others are describing as 'Server Name Indication' – Parol 30/1, 2021 at 21:47

Whilst this answer is technically correct, this doesn't mean that URL paths and GET params are 'safe'. See security.stackexchange.com/questions/233795/… – Achromaticity 3/9, 2021 at 10:41

1009

Since nobody provided a wire capture, here's one.
Server Name (the domain part of the URL) is presented in the ClientHello packet, in plain text.

The following shows a browser request to:
https://i.stack.imgur.com/path/?some=parameters&go=here

See this answer for more on TLS version fields (there are 3 of them - not versions, fields that each contain a version number!)

From https://www.ietf.org/rfc/rfc3546.txt:

3.1. Server Name Indication

[TLS] does not provide a mechanism for a client to tell a server the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address.

In order to provide the server name, clients MAY include an extension of type "server_name" in the (extended) client hello.

In short:

FQDN (the domain part of the URL) MAY be transmitted in clear inside the ClientHello packet if SNI extension is used
The rest of the URL (/path/?some=parameters&go=here) has no business being inside ClientHello since the request URL is a HTTP thing (OSI Layer 7), therefore it will never show up in a TLS handshake (Layer 4 or 5). That will come later on in a GET /path/?some=parameters&go=here HTTP/1.1 HTTP request, AFTER the secure TLS channel is established.

EXECUTIVE SUMMARY

Domain name MAY be transmitted in clear (if SNI extension is used in the TLS handshake) but URL (path and parameters) is always encrypted.

MARCH 2019 UPDATE

Thank you carlin.scott for bringing this one up.

The payload in the SNI extension can now be encrypted via this draft RFC proposal. This capability only exists in TLS 1.3 (as an option and it's up to both ends to implement it) and there is no backwards compatibility with TLS 1.2 and below.

CloudFlare is doing it and you can read more about the internals here — If the chicken must come before the egg, where do you put the chicken?

In practice this means that instead of transmitting the FQDN in plain text (like the Wireshark capture shows), it is now encrypted.

NOTE: This addresses the privacy aspect more than the security one since a reverse DNS lookup MAY reveal the intended destination host anyway.

SEPTEMBER 2020 UPDATE

There's now a draft RFC for encrypting the entire Client Hello message, not just the SNI part: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1

At the time of writing this browser support is VERY limited.

Townspeople answered 2/8, 2016 at 18:26 Comment(5)

Perfect answer, with complete explanation from A to Z. I love the Executive summary. Made my day @Townspeople – Frump 18/4, 2018 at 14:4

Perfect answer, upvote! Still consider the client part since the browser history may be a leak. However, regarding the transport layer, URL-parameters are encrypted. – Schreck 7/5, 2018 at 6:51

You may want to update this answer with the fact that TLS 1.3 encrypts the SNI extension, and the biggest CDN is doing just that: blog.cloudflare.com/encrypted-sni Of course a packet sniffer could just do a reverse-dns lookup for the IP addresses you're connecting to. – Romish 21/3, 2019 at 18:0

@evilSnobu, but username:password part of username:[email protected] is encrypted, right? So it's secure to pass sensitive data in url using https. – Chromoprotein 11/11, 2019 at 14:47

They are encrypted on the wire (in transport) but if either end (user or server) logs the URL to a plain text file and does not sanitize credentials... now that's a different conversation. – Townspeople 11/11, 2019 at 16:32

178

As the other answers have already pointed out, https "URLs" are indeed encrypted. However, your DNS request/response when resolving the domain name is probably not, and of course, if you were using a browser, your URLs might be recorded too.

Agripinaagrippa answered 31/1, 2009 at 21:26 Comment(6)

And URL recording is important since there are Javascript hacks that allow a completely unrelated site to test whether a given URL is in your history or not. You can make a URL unguessable by including a longish random string in it, but if it's a public URL then the attacker can tell that it has been visited, and if it has a short secret in it, then an attacker could brute-force that at reasonable speed. – Loganloganberry 26/9, 2011 at 8:38

Isn't there encrypted DNS as well? – Rivy 15/3, 2014 at 10:25

@SteveJessop, please provide a link to "Javascript hacks that allow a completely unrelated site to test whether a given URL is in your history or not" – Rivy 15/3, 2014 at 10:26

@Pacerier: hacks date of course, but what I was talking about at the time was things like #2395390. It was a big deal back in 2010 that these issues were being investigated and the attacks refined, but I'm not really following it at the moment. – Loganloganberry 15/3, 2014 at 10:49

@Pacerier: more examples: webdevwonders.com/…, webdevwonders.com/… – Loganloganberry 15/3, 2014 at 11:19

You can use OpenDNS with it's encrypted DNS service. I use it on my Mac, but I found the Windows version not working properly. That was a while ago though, so it might work OK now. For Linux nothing yet. opendns.com/about/innovations/dnscrypt – Llywellyn 22/4, 2014 at 15:2

113

I agree with the previous answers:

To be explicit:

With TLS, the first part of the URL (https://www.example.com/) is still visible as it builds the connection. The second part (/herearemygetparameters/1/2/3/4) is protected by TLS.

However there are a number of reasons why you should not put parameters in the GET request.

First, as already mentioned by others: - leakage through browser address bar - leakage through history

In addition to that you have leakage of URL through the http referer: user sees site A on TLS, then clicks a link to site B. If both sites are on TLS, the request to site B will contain the full URL from site A in the referer parameter of the request. And admin from site B can retrieve it from the log files of server B.)

Tempe answered 28/7, 2013 at 6:49 Comment(4)

@EJP You didn't understand what Tobias is saying. He's saying that if you click a link on site A that will take you to site B, then site B will get the referrer URL. For example, if you are on siteA.com?u=username&pw=123123, then siteB.com (which is linked to on the page of siteA.com) will receive "siteA.com?u=username&pw=123123" as the referring URL, sent to siteB.com inside the HTTPS by the browser. If this is true, that's very bad. Is this true Tobias? – Lindalindahl 26/6, 2014 at 18:37

@EJP, the domain is visible because of SNI which all modern web browsers use. Also see this diagram from the EFF showing that anyone can see the domain of the site you are visiting. This isn't about browser visibility. It's about what is visible to eavesdroppers. – Utmost 13/12, 2014 at 16:10

@trusktr: Browsers should not send a Referer header from HTTPS pages. This is part of the HTTP specification. – Fortuity 6/8, 2015 at 14:38

@MartinGeisler, Keyword is "should". Browsers don't much care about "should" (as opposed to "must"). From your own link: "strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable /disable the sending of Referer and From information". Ops, which is exactly what Chrome did. Except Chrome leaks the Referrer even if you are in incognito mode. – Rivy 9/11, 2015 at 21:34

110

Entire request and response is encrypted, including URL.

Note that when you use a HTTP Proxy, it knows the address (domain) of the target server, but doesn't know the requested path on this server (i.e. request and response are always encrypted).

Tirrell answered 31/1, 2009 at 21:17 Comment(0)

Yes and no.

The server address portion is NOT encrypted since it is used to set up the connection.

This may change in future with encrypted SNI and DNS but as of 2018 both technologies are not commonly in use.

The path, query string etc. are encrypted.

Note for GET requests the user will still be able to cut and paste the URL out of the location bar, and you will probably not want to put confidential information in there that can be seen by anyone looking at the screen.

Lickspittle answered 31/1, 2009 at 21:20 Comment(9)

Would like to +1 this, but I find the "yes and no" misleading - you should change that to just point out that the server name will be resolved using DNS without encryption. – Burkhart 31/1, 2009 at 22:11

Wait, where is the author using the word URL in an incorrect sense? – Evacuation 26/1, 2010 at 5:16

In my understanding, the OP uses the word URL in the right sense. I think this answer is more misleading, as it doesnt clearly makes the difference between the hostname in the URL and the hostname in the DNS resolution. – Frisch 2/11, 2010 at 14:17

The URL is encrypted. Every aspect of the HTTP transaction is encrypted. Not just 'everything else'. Period. -1. – Esotropia 26/3, 2013 at 9:37

@EJP Except the DNS lookup of the host. Which is not. Period. – Lickspittle 26/3, 2013 at 10:28

Which is not part of the HTTPS transaction, contrary to the misleading impression you are continuing to give here. – Esotropia 26/3, 2013 at 11:23

@EJP but the DNS lookup does use what is at one point part of the URL, so to the non-technical person, the entire URL is not encrypted. The non-technical person who's merely using Google.com to look up non-technical things does not know where the data ultimately resides or how it is handled. The domain, which is part of the URL the user is visiting, is not 100% encrypted because I as the attacker can sniff which site he is visiting. Only the /path of a URL is inherently encrypted to the layman (it doesn't matter how). – Lindalindahl 26/6, 2014 at 18:46

@EJP, @trusktr, @Lawrence, @Guillaume. All of you are mistaken. This has nothing to do with DNS. SNI "send the name of the virtual domain as part of the TLS negotiation", so even if you don't use DNS or if your DNS is encrypted, a sniffer can still see the hostname of your requests. – Rivy 9/11, 2015 at 21:40

so in GET request Parameters are encrypted but not hostname + url upto params, but in user browser history or proxy server log it will contain full unecnrypted url – Bruise 24/5, 2016 at 18:59

An addition to the helpful answer from Marc Novakowski - the URL is stored in the logs on the server (e.g., in /etc/httpd/logs/ssl_access_log), so if you don't want the server to maintain the information over the longer term, don't put it in the URL.

Sammie answered 2/11, 2010 at 14:3 Comment(0)

It is now 2019 and the TLS v1.3 has been released. According to Cloudflare, the server name indication (SNI aka the hostname) can be encrypted thanks to TLS v1.3. So, I told myself great! Let's see how it looks within the TCP packets of cloudflare.com So, I caught a "client hello" handshake packet from a response of the cloudflare server using Google Chrome as browser & wireshark as packet sniffer. I still can read the hostname in plain text within the Client hello packet as you can see below. It is not encrypted.

So, beware of what you can read because this is still not an anonymous connection. A middleware application between the client and the server could log every domain that are requested by a client.

So, it looks like the encryption of the SNI requires additional implementations to work along with TLSv1.3

UPDATE June 2020: It looks like the Encrypted SNI is initiated by the browser. Cloudflare has a page for you to check if your browser supports Encrypted SNI:

https://www.cloudflare.com/ssl/encrypted-sni/

At this point, I think Google chrome does not support it. You can activate Encrypted SNI in Firefox manually. When I tried it for some reason, it didn't work instantly. I restarted Firefox twice before it worked:

Type: about:config in the URL field.

Check if network.security.esni.enabled is true. Clear your cache / restart

Go to the website, I mentioned before.

As you can see VPN services are still useful today for people who want to ensure that a coffee shop owner does not log the list of websites that people visit.

Globuliferous answered 24/1, 2019 at 22:47 Comment(3)

"the SNI can be encrypted" - that's the key point. Checking cloudflare.com/ssl/encrypted-sni with current Google Chrome says "Your browser did not encrypt the SNI when visiting this page." It takes two to tango... – Bourse 16/9, 2019 at 8:47

Apparently current Firefox can do ESNI, but it's disabled by default: you need to enable network.security.esni.enabled, set network.trr.mode to 2 (which currently sets your DoH resolver to CloudFlare), and restart the browser (sic!); then it will use ESNI - where supported by the domain's infrastructure. See blog.mozilla.org/security/2018/10/18/… for details. – Bourse 16/9, 2019 at 9:10

Is this supposed to work with any modern DNS or is this a specific 3rd party (Cloudflare) solution? – Parrett 23/5, 2023 at 7:56

A third-party that is monitoring traffic may also be able to determine the page visited by examining your traffic an comparing it with the traffic another user has when visiting the site. For example if there were 2 pages only on a site, one much larger than the other, then comparison of the size of the data transfer would tell which page you visited. There are ways this could be hidden from the third-party but they're not normal server or browser behaviour. See for example this paper from SciRate, https://scirate.com/arxiv/1403.0297.

In general other answers are correct, practically though this paper shows that pages visited (ie URL) can be determined quite effectively.

Electroshock answered 14/8, 2015 at 16:3 Comment(3)

That would really only be feasible on very small sites, and in those cases, the theme/tone/nature of the site would probably still be about the same on each page. – Armentrout 21/8, 2015 at 18:39

From the citation I gave: "We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy [...]". It seems your conclusion as to feasibility is wrong. – Electroshock 4/9, 2015 at 10:15

For anyone interesting in reading more about this sort of vulnerability, these types of attacks are generally referred to as side-channel attacks. – Virus 18/4, 2016 at 18:18

You can not always count on privacy of the full URL either. For instance, as is sometimes the case on enterprise networks, supplied devices like your company PC are configured with an extra "trusted" root certificate so that your browser can quietly trust a proxy (man-in-the-middle) inspection of https traffic. This means that the full URL is exposed for inspection. This is usually saved to a log.

Furthermore, your passwords are also exposed and probably logged and this is another reason to use one time passwords or to change your passwords frequently.

Finally, the request and response content is also exposed if not otherwise encrypted.

One example of the inspection setup is described by Checkpoint here. An old style "internet café" using supplied PC's may also be set up this way.

Saveloy answered 17/11, 2016 at 2:49 Comment(0)

Althought there are some good answers already here, most of them are focusing in browser navigation. I'm writing this in 2018 and probably someone wants to know about the security of mobile apps.

For mobile apps, if you control both ends of the application (server and app), as long as you use HTTPS you're secure. iOS or Android will verify the certificate and mitigate possible MiM attacks (that would be the only weak point in all this). You can send sensitive data through HTTPS connections that it will be encrypted during transport. Just your app and the server will know any parameters sent through https.

The only "maybe" here would be if client or server are infected with malicious software that can see the data before it is wrapped in https. But if someone is infected with this kind of software, they will have access to the data, no matter what you use to transport it.

Duclos answered 3/8, 2018 at 0:8 Comment(0)

While you already have very good answers, I really like the explanation on this website: https://https.cio.gov/faq/#what-information-does-https-protect

in short: using HTTPS hides:

HTTP method
query params
POST body (if present)
Request headers (cookies included)
Status code

Sacken answered 5/4, 2020 at 13:37 Comment(0)

Linking to my answer on a duplicate question. Not only is the URL available in the browsers history, the server side logs but it's also sent as the HTTP Referer header which if you use third party content, exposes the URL to sources outside your control.

Flouncing answered 15/4, 2016 at 15:28 Comment(2)

Providing your third party calls are HTTPS aswell though this isn't an issue right? – Antiparallel 10/11, 2016 at 16:46

It'd be encrypted with the third parties certificate so they could see the URL – Flouncing 11/11, 2016 at 18:3

Additionally, if you're building a ReSTful API, browser leakage and http referer issues are mostly mitigated as the client may not be a browser and you may not have people clicking links.

If this is the case I'd recommend oAuth2 login to obtain a bearer token. In which case the only sensitive data would be the initial credentials...which should probably be in a post request anyway

Ply answered 22/8, 2018 at 8:3 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++