CISSP_Candidate
08-29-2006, 04:48 PM
would it be right to say that if I do have a client trasferring data to a server using an SSL implementation that my headers would not be encrypted thus not offering total confidentiality protection?
If just my payload is encrypted then what kinds of attacks could be performed on just the headers? Has anybody used Connect Direct from Sterling here? The server and client have an option to use SSL encryption for the data transfer, however, I'm not really convinced about SSL as a total secure encryption method. Any thoughts???
Jescoi
08-29-2006, 04:49 PM
That's right. SSL does not encrypt HTTP headers, only payload.
Browser and webserver talk HTTP in plain text and when using SSL, the payload gets encrypted.
I have captured the following using the mozilla plugin Live HTTP Headers, from a login page that posts to a HTTPS page.
After looking at the header, I am pretty sure you can think of all kinds of exploits, against headers.
This is a reason why, irrespective of SSL and non-SSL, it is advised not to post sensitive information improperly - now I might be getting out-of-scope here Smile
Quote:
https://www.techquotes.com/loman.php
POST /loman.php HTTP/1.1
Host: www.techquotes.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://www.techquotes.com/loman.php
Cookie: PHPSESSID=78cb18a742dceca1ee6ba60fd0e26f1e
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
emailID=a@bc.com&password=abc&submit=Submit
HTTP/1.x 200 OK
Date: Thu, 15 Jun 2006 01:17:12 GMT
Server: Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7a PHP/4.3.9
X-Powered-By: PHP/4.3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6174
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
vBulletin® v3.8.7, Copyright ©2000-2012, vBulletin Solutions, Inc.