Can an attacker sniff data in a URL over HTTPS?

security url https

The entire HTTP request (and response) is encrypted, including the URL.

But yes, there is a way an attacker could grab the full URL: through the Referer header. If there is any external file (Javscript, CSS, etc.) which is not over HTTPS, the full URL could be sniffed in the Referer header. Same if the user click on a link in the page that leads to an HTTP (no SSL) page.

Also, DNS requests are not encrypted, so an attacker could know the user is going to mysite.com.


No, they can see the connection ie mysite.com but not the ?mysecretstring=1234 the https is server to server

Related

What else do I get with Cat 6 beyond future proofing my wiring?
Long Distance Networking Options
How do you check if a nameserver responds to recursive queries?
Why isn't Apache Basic authentication working?
My certificate issued by StartSSL is not accepted by my clients
Hyper-V vs. ESXi vs. XenServer
How can I map iostat device names to LVM /dev/mapper/XXX names?
CNAME and A record have different TTLs. Which one will be cached?
How to see on Linux what network interface and source IP address is used for a route to a specific destination host?
Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY
How to make Jenkins CI use Local time instead of UTC on debian squeeze
how to auto start openvpn (client) on ubuntu 12.04 cli?