15

I've set up my web server to use SSL (I'm using WAMP for my staging scenario before I move it on up to public servers). The purpose of the site at hand has succeeded and I am able to use the site from remote computers using the HTTPS protocol.

A concern that came up with one of my users (testers) was in regards to the POST data. In his test scenario, he is on-site at one of our potential clients, accessing the site behind their VERY picky corporate firewall (we have already worked out how this site applies to their AUP, and we are clean). He is running the site in FireFox using Firebug to monitor the POST and GET data. The question is here:

In his Firebug window, the POST and Response from the XMLHTTPRequest are coming back in plain text. Is that because he was the one who initiated the secure connection? Will the POST/Response data show up to the network admins or logs?

Please take note that the intent here is not to deceive admins or circumvent policies; this is an application intended for on-site people at various locations that need to transmit sensitive data. Usage will be coordinated with every network infrastructure we encounter.

Honus Wagner
  • 265
  • 1
  • 2
  • 9
  • even the url and querystring are encrypted – Neil McGuigan Dec 17 '12 at 01:29
  • As a simple test and proper use of sniffing tools, use tshark/WireShark to filter based on http.request.uri and you see when you work with https there is nothing to display. On the other hand send the same request over http and you see everything. – Maziyar Dec 25 '15 at 15:04

1 Answers1

20

Yes, POST data should be encrypted. Everything in the HTTP request should be encrypted in an SSL conversation. Firebug gets its info after SSL data has been decrypted by the browser. If you want to ensure, use something like Fiddler or WebScarab as a proxy sitting in between although you might have to play games to get them to play nicely with SSL. Here's a page on how to decrypt HTTPS traffic using Fiddler.

squillman
  • 37,883
  • 12
  • 92
  • 146
  • 3
    If you're doubting the encryption at all, throw Wireshark on the client and sniff the traffic. – Evan Anderson Jan 27 '10 at 18:49
  • I checked Fiddler and compared the POSTS and GETS between HTTPS and HTTP data and confirmed that the POSTS and GETS are secure. Thanks! – Honus Wagner Jan 27 '10 at 19:22
  • @Evan What should I be looking for on Wireshark? – Honus Wagner Jan 27 '10 at 19:41
  • 3
    @Honus: You are looking for garbage :). If the data is not encrypted, you'll be able to see it in Wireshark. If it's encrypted - you will see the encrypted (non-readable) data. – Sunny Jan 27 '10 at 19:59
  • 1
    @Honus: Wireshark is a packet analyzer so it can/will show you all packets that are coming across the wire. You have the ability to see all network traffic regardless of app level protocols. There are filters (including one for HTTP) that let you narrow things down to more easily see what you're looking for. – squillman Jan 27 '10 at 20:05
  • Brilliant! I've done this with Wireshark and everything looks great. Thanks agian. – Honus Wagner Jan 27 '10 at 20:45