https请求中,get的参数到底是不是加密的?

by

答案是:除域名,ip,端口外其它都加密。

昨天和同事说到传接口参数
我:直接用get,
同事:用post安全点。
我:说差不多吧,没本质区别。
同事:https时post参数抓包抓取不到,而get里参数可以抓取到。

今天就做个实验,看下是不是能抓取到https下的get的参数,用get访问了个https接口,得到下面包。
1-3号包 握手包
4-11号包 客户端,服务器hello包和key交换.中间还发现有证书太大,有PDU,分包了。
12号包 就是get请求了,点开看了下,什么也看不出来,就是加密的。而且连请求方式到底是get还是post都不知道。
15号包就是服务端响应的内容,也是加密的。
17号包开始有很多黑色的包,那是心跳包。
最后4个包就是四次挥手包。

stackoverflow上也找到答案
When you GET

https://encrypted.google.com/search?q=%s

问题:The %s query is encrypted? Or just the response? If it is not, why should Google serve it’s public content also with encryption?

答案1 url加密包括get方法,但域名不加密
The entire request is encrypted, including the URL, and even the command (GET). The only thing an intervening party such as a proxy server can glean is the destination address and port.

Note, however, that the Client Hello packet of a TLS handshake can advertise the fully qualified domain name in plaintext via the SNI extension (thanks @hafichuk), which is used by all modern mainstream browsers, though some only on newer OSes.

答案2 get虽然加密,但在服务器访问日志上能看到参数
The URL itself is encrypted, so the parameters in the query string do not travel in plain across the wire.

However, keep in mind that URLs including the GET data are often logged by the webserver, whereas POST data seldom is. So if you’re planning to do something like /login/?username=john&password=doe, then don’t; use a POST instead.

 

 

 

另一篇介绍https文章的
https://https.cio.gov/faq/#what-information-does-https-protect%3f

 

下面被抹黑的部分都是加密的,包括:HTTP methods (GET, POST, PUT等),URL path,url参数, POST内容.

What information does HTTPS protect?

HTTPS encrypts nearly all information sent between a client and a web service.

For example, an unencrypted HTTP request reveals not just the body of the request, but the full URL, query string, and various HTTP headers about the client and request:

An encrypted HTTPS request protects most things:

This is the same for all HTTP methods (GET, POST, PUT, etc.). The URL path and query string parameters are encrypted, as are POST bodies.

 

不加密的的域名和子域名,抓包中,可以看到证书和key交换中,确实有请求的域名信息。

What information does HTTPS not protect?

While HTTPS encrypts the entire HTTP request and response, the DNS resolution and connection setup can reveal other information, such as the full domain or subdomain and the originating IP address, as shown above.

Additionally, attackers can still analyze encrypted HTTPS traffic for “side channel” information. This can include the time spent on site, or the relative size of user input.

Posted in: IT技术Tagged:

Comments are closed.

Post Navigation