Is GET data also encrypted in HTTPS?
Solution 1:
The entire request is encrypted, including the URL, and even the command (GET
). The only thing an intervening party such as a proxy server can glean is the destination address and port.
Note, however, that the Client Hello packet of a TLS handshake can advertise the fully qualified domain name in plaintext via the SNI extension (thanks @hafichuk), which is used by all modern mainstream browsers, though some only on newer OSes.
EDIT: (Since this just got me a "Good Answer" badge, I guess I should answer the entire question…)
The entire response is also encrypted; proxies cannot intercept any part of it.
Google serves searches and other content over https because not all of it is public, and you might also want to hide some of the public content from a MITM. In any event, it's best to let Google answer for themselves.
Solution 2:
The URL itself is encrypted, so the parameters in the query string do not travel in plain across the wire.
However, keep in mind that URLs including the GET data are often logged by the webserver, whereas POST data seldom is. So if you're planning to do something like /login/?username=john&password=doe
, then don't; use a POST instead.
Solution 3:
HTTPS Establishes an underlying SSL conenction before any HTTP data is transferred. This ensures that all URL data (with the exception of hostname, which is used to establish the connection) is carried solely within this encrypted connection and is protected from man-in-the-middle attacks in the same way that any HTTPS data is.
The above is a part of a VERY comprehensive answer from Google Answers located here:
http://answers.google.com/answers/threadview/id/758002.html#answer
Solution 4:
The portion of the URL after the host name is sent securely.
For example, https://somewhere.com/index.php?NAME=FIELD
The /index.php?NAME=FIELD
part is encrypted. The somewhere.com
is not.