Posting data over HTTPS 1

[Stretchwickster]

Hi there,

I just need a bit of reassurance from someone in the know, as I am struggling to find out this particular information from any explanatory sites on SSL.

I've written a Windows application which sends HTTP Post requests to an HTTPS address. I installed an HTTP Sniffer program called HTTP Analyzer on the client machine and it can tell me my post data regardless of whether I'm sending data to an HTTP or HTTPS address.

So my question is this, is POST data encrypted at all?
If it is, why am I able to sniff it out unencrypted?
If it isn't, what does SSL actually secure/encrypt?

Any advice would be much appreciated!

Clive

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"To err is human, but to really foul things up you need a computer." (Paul Ehrlich)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To get the best answers from this forum see: faq102-5096

 

[sleipnir214]

An HTTPS connection is an encrypted connection, so any data sent either way on such a connection will be encrypted.

I see two possible problems:[ul][li]The app is not communicating by HTTPS[/li][li]HTTP Analyzer is not sniffing the network but rather capturing packets by actually plugging into the IP stack on the client machine, not sniffing network packets[/li][/ul]

If the product you mean is the HTTP Analyzer seen on this page:

http://www.ieinspector.com/httpanalyzer/

, I would suspect the latter.

I recommend that to test whether data is encrypted you put a hub (a hub, mind you, not a switch) between your client computer and the application and put another computer running a network packet sniffer on that same hub. That way, you can see what's actually being transmitted.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[Stretchwickster]

Thanks very much for the advice sleipnir214. The product is the one you referenced. Thanks for your suggestion, I will try that later. HTTP Analyzer shows that the URL prefix that my app is generating is https - is this not necessarily confirmation of encrypted post data?

I'm using the WinInet API to send the request and the only differences between sending via HTTP and HTTPS are a change of the port number (from 80 to 443) in the InternetConnect call and a change of flags passed into the HttpOpenRequest call (INTERNET_FLAG_SECURE being the pertinent one if using HTTPS).

Clive

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"To err is human, but to really foul things up you need a computer." (Paul Ehrlich)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To get the best answers from this forum see: faq102-5096

 

[sleipnir214]

HTTP Analyzer shows that the URL prefix that my app is generating is https - is this not necessarily confirmation of encrypted post data?

Sorry, but I can't answer that -- I have no experience with HTTP Analyzer.

But I do have experience with WireShark (formerly known as Ethereal:

http://www.wireshark.org),

and were I unsure of the status of my data is it rides across the network, that's the product I'd use to confirm it.




Want the best answers? Ask the best questions! TANSTAAFL!

 

[Stretchwickster]

Many thanks sleipnir, I downloaded wireshark and captured the requests and responses between client and server. This was really useful because I could then see exactly the process by which SSL establishes a handshake etc. More importantly, I was able to see that the post data is in fact encrypted.

Thanks again for your assistance.

Clive

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"To err is human, but to really foul things up you need a computer." (Paul Ehrlich)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To get the best answers from this forum see: faq102-5096