Is it possible to intercept https traffic and see the links?

If the Man-in-the-Middle attack succeeds, then, by definition, the attacker sees everything: success here being that the attacker impersonates both the client and the server, so the client talks to the attacker, the server talks to the attacker, the attacker decrypts on one side and reencrypts on the other. With a successful MitM, the attacker can see the links, the page contents, the passwords...

But, of course, SSL has been designed to defeat MitM attacks. The main protection is the server's certificate. To succeed at MitM, the attacker must create a fake certificate with the server's name, but containing a public key that the attacker controls. The whole point of trusted root CA and certificate validation is so that the client does not get fooled by a fake server certificate.

(If the human users sees the scary warning from his browser "this server uses an untrusted certificate" and still clicks on the "I don't care, connect anyway !" button, then the MitM succeeds. Security against MitM in SSL relies on the idea that the human user does not do anything stupid such as disregarding that kind of warning.)

Edit: as for what can be inferred from passive sniffing, then this does not include the requested URL per se; however, a few things can be inferred:

  • The intended server name (the "host name" part of the URL) will be known to the attacker. Modern browsers show it in cleartext as part of the Server Name Indication extension. The name also appears in the server's certificate, which is sent as cleartext as well.

  • Encryption hides data contents, but not data length. The attacker can then infer the length of the URL, especially if he gets to observe several encrypted requests.

  • Since lengths leak, the attacker can more or less see how many elements are downloaded by the client and their respective lengths, e.g. linked pictures. Depending on the site structure and whether the attacker can also browse the same site (as, e.g., another user), then he may figure out with great precision what the target user is actually browsing.


No because an encrypted tunnel is setup before any messages (including GET/POST requests) are sent across the link.

Tags:

Tls

Recent Posts