Home/ Questions/Q 573559
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T13:44:13+00:00

Say I was trying to access https://www.secretplace.com/really/really/secret.php , what’s actually sent in plain text

  • 0

Say I was trying to access https://www.secretplace.com/really/really/secret.php, what’s actually sent in plain text before the SSL session is established?

Does the browser intervene, see that I want https, initiate a SSL session with secretplace.com (i.e. without passing the path in plain text) and only after the SSL session is set up pass the path?

Just curious.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    HTTP Secure

    The level of protection depends on the correctness of the implementation of the web browser and the server software and the actual cryptographic algorithms supported.

    Also, HTTPS is vulnerable when applied to publicly-available static content. The entire site can be indexed using a web crawler, and the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size. This allows an attacker to have access to the plaintext (the publicly-available static content), and the encrypted text (the encrypted version of the static content), permitting a cryptographic attack.

    Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination. This means that, in most cases, it is not feasible to use name-based virtual hosting with HTTPS. A solution called Server Name Indication (SNI) exists which sends the hostname to the server before encrypting the connection, although many older browsers don’t support this extension. Support for SNI is available since Firefox 2, Opera 8, and Internet Explorer 7 on Windows Vista.

    • 0