GET 数据是否也在 HTTPS 中加密?

发布于 2024-10-13 01:57:49 字数 194 浏览 3 评论 0原文

当您获取

https://crypted.google.com/search?q=%s

%s 查询是否已加密?还是只是回应? 如果不是,为什么谷歌还要对其公共内容进行加密呢?

When you GET

https://encrypted.google.com/search?q=%s

Is the %s query encrypted? Or just the response?
If it is not, why should Google serve its public content also with encryption?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(11

故人爱我别走 2024-10-20 01:57:50

HTTPS 在任何 HTTP 数据传输之前建立底层 SSL 连接
转移。这确保了所有 URL 数据(除了
主机名(用于建立连接)单独携带
在此加密连接内,并受到保护
中间人攻击的方式与任何 HTTPS 数据相同。

以上是来自 Google 问答的非常全面的答案的一部分,位于此处:

http ://answers.google.com/answers/threadview/id/758002.html#answer

HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
man-in-the-middle attacks in the same way that any HTTPS data is.

The above is a part of a VERY comprehensive answer from Google Answers located here:

http://answers.google.com/answers/threadview/id/758002.html#answer

め可乐爱微笑 2024-10-20 01:57:50

安全发送主机名之后的 URL 部分。

例如,
https://somewhere.com/index.php?NAME=FIELD

/index.php?NAME=FIELD 部分已加密。 somewhere.com 则不然。

The portion of the URL after the host name is sent securely.

For example,
https://somewhere.com/index.php?NAME=FIELD

The /index.php?NAME=FIELD part is encrypted. The somewhere.com is not.

只有影子陪我不离不弃 2024-10-20 01:57:50

所有内容都已加密,但您需要记住,您的查询将保留在服务器日志中,并且可以被各种日志分析器等访问(POST 请求通常不是这种情况)。

Everything is encrypted, but you need to remember, that your query will stay in server's logs and will be accessible to various log analysers etc (which is usually not the case with POST request).

瑾夏年华 2024-10-20 01:57:50

在传输请求之前,连接会被加密。所以是的,请求也被加密,包括查询字符串。

The connection gets encrypted before the request is transmitted. So yes, the request is encrypted as well, including the query string.

看轻我的陪伴 2024-10-20 01:57:50

我刚刚通过 HTTPS 连接到一个网站并传递了一堆 GET 参数。然后我使用wireshark来嗅探网络。使用 HTTP,URL 未加密发送,这意味着我可以轻松查看 URL 中的所有 GET 参数。使用 HTTPS,一切都被加密,我什至看不到哪个数据包是 GET 命令,更不用说它的内容了!

I just connected via HTTPS to a website and passed a bunch of GET parameters. I then used wireshark to sniff the network. Using HTTP, the URL is sent unencrypted, which means I can easily see all the GET parameters in the URL. Using HTTPS, everything is encrypted and I can't even see which packet is the GET command, let alone its contents!

风蛊 2024-10-20 01:57:50

是的,它是安全的。 SSL 加密一切。

POST 请求摘录:

POST /foo HTTP/1.1
... some other headers

GET 请求摘录:

GET /foo?a=b HTTP/1.1
... some other headers

在这两种情况下,在套接字上发送的任何内容都是加密的。客户端在 GET 请求期间在浏览器中看到参数这一事实并不意味着中间人也会看到相同的内容。

Yes, it is secure. SSL encrypts everything.

Excerpt from POST request:

POST /foo HTTP/1.1
... some other headers

Excerpt from GET request:

GET /foo?a=b HTTP/1.1
... some other headers

In both cases whatever is sent on the socket is encrypted. The fact that the client sees parameters in his browser during a GET request doesn't mean that a man in the middle would see the same.

泛泛之交 2024-10-20 01:57:50

SSL 发生在标头解析之前,这意味着:

Client creates Request
Request gets encrypted
Encrypted request gets transmitted to the Server
Server decrypts the Request
Request gets parsed

请求看起来像这样(不记得确切的语法,但这应该足够接近):

GET /search?q=qwerty HTTP/1.1
Host: www.google.de

这也是为什么同一 IP 上的多个主机拥有不同的 SSL 证书的原因是有问题的,所请求的主机名在解密之前是未知的。

The SSL takes place before the header parsing, this means:

Client creates Request
Request gets encrypted
Encrypted request gets transmitted to the Server
Server decrypts the Request
Request gets parsed

A Request looks something like this (can't remember the exact syntax, but this should be close enough):

GET /search?q=qwerty HTTP/1.1
Host: www.google.de

This is also why having different SSL Certificates for several hosts on the same IP are problematic, the requested Hostname is not known until decryption.

小女人ら 2024-10-20 01:57:50

使用 HTTPS 时,GET 请求会被加密 - 事实上,这就是为什么安全网站需要有唯一的 IP 地址 - 在解密之前,无法从请求中获取预期的主机名(或虚拟目录)。

The GET request is encrypted when using HTTPS - in fact this is why secured websites need to have a unique IP address - there's no way to get the intended hostname (or virtual directory) from the request until after it's been decrypted.

怀念你的温柔 2024-10-20 01:57:50

上面有一点混乱:

  1. 尽管如此,它不再需要具有唯一的 IP 地址,因为 SNI 字段告诉服务器使用哪个证书,
  2. 除了非常早的 SNI 请求之外,所有内容都已加密。这告诉服务器哪个名称以及要使用哪个证书。也就是说,服务器名称指示符以未加密的方式发送,以便服务器和客户端可以建立安全连接,然后使用安全连接进行其他操作。

因此,回答原来的问题。除了主机名(我猜是端口)之外的所有内容在两个方向上都是安全的。

There is a little confusion above:

  1. despite what is said, it is NOT required, anymore, to have unique IP address since the SNI field tells the server which cert to use
  2. everything is encrypted EXCEPT the SNI request which is VERY early. This tells the server which Name and therefore which certificate to use. That is, the Server Name Indicator IS sent unencrypted so that the server and the client can establish and then use a secure connection for everything else.

So, in answer to the original question. Everything EXCEPT the host name (and I guess port) is secured in BOTH directions.

栀子花开つ 2024-10-20 01:57:49

整个请求都是加密的,包括 URL,甚至命令 (GET)。代理服务器等干预方可以收集的唯一信息是目标地址和端口。

但请注意,TLS 握手的客户端 Hello 数据包可以通过 < 以明文方式通告完全限定的域名em>SNI 扩展(感谢 @hafichuk),所有现代主流浏览器都使用该扩展,尽管有些浏览器仅在较新的操作系统上使用。

编辑:(因为这刚刚给我一个“好答案”徽章,我想我应该回答整个问题......)

整个响应也被加密;代理无法拦截其任何部分。

Google 通过 https 提供搜索和其他内容,因为并非所有内容都是公开的,并且您可能还想从 MITM。无论如何,最好让 Google 自己回答< /a>.

The entire request is encrypted, including the URL, and even the command (GET). The only thing an intervening party such as a proxy server can glean is the destination address and port.

Note, however, that the Client Hello packet of a TLS handshake can advertise the fully qualified domain name in plaintext via the SNI extension (thanks @hafichuk), which is used by all modern mainstream browsers, though some only on newer OSes.

EDIT: (Since this just got me a "Good Answer" badge, I guess I should answer the entire question…)

The entire response is also encrypted; proxies cannot intercept any part of it.

Google serves searches and other content over https because not all of it is public, and you might also want to hide some of the public content from a MITM. In any event, it's best to let Google answer for themselves.

神经暖 2024-10-20 01:57:49

URL 本身已加密,因此查询字符串中的参数不会以明文形式通过网络传输。

但是,请记住,包括 GET 数据的 URL 通常由网络服务器记录,而 POST 数据很少记录。因此,如果您打算执行类似 /login/?username=john&password=doe 的操作,那就不要这样做;请改用 POST。

The URL itself is encrypted, so the parameters in the query string do not travel in plain across the wire.

However, keep in mind that URLs including the GET data are often logged by the webserver, whereas POST data seldom is. So if you're planning to do something like /login/?username=john&password=doe, then don't; use a POST instead.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文