does https are safer than http?

You seem to be somewhat unclear about what HTTPS encrypts exactly, so here’s a rough rundown:

  • the browser forms an HTTP request, which consists of lines like GET /foo/bar and other HTTP headers and perhaps a request body
  • the browser looks up the IP of the server belonging to the domain it’s going to send the request to
  • it contacts that server and negotiates a TLS session, which includes the negotiation of session-specific secrets for both ends
  • it encrypts the HTTP request it created in the first step and sends it to the server
  • the communication is layered: the HTTP request is wrapped in TLS and packed into TCP/IP packets, routers just route IP packets without needing to know anything about the contents; in general, routers are protocol agnostic, they are not aware of HTTP, only the enveloping TCP/IP protocol
  • the receiving server is unpacking the TCP/IP packet, reassembles the TLS request, decrypts it, and finally gets the plain HTTP request

say somebody is snooping the network, and we are using https, the snooper/hacker still has access to the encrypted data, he can use the encrypted data to gain access of session cookie and login to the website

No. Even if somebody captures the encrypted request, they have no way to decrypt it (* assuming no flaws in the protocol and that brute-force decryption is impractical). And they can’t simply replay the encrypted request, since they need to establish their own TLS connection, which will involve different secrets, and the server won’t be able to decrypt data originally encrypted with someone else’s secrets.

what I meant what if url is encrypted, how will the routing happen

As explained above, routers don’t route URLs, only TCP/IP packets; and the client sending the request, which knew the URL, has already translated “the URL” into simply routable TCP/IP packets.

DNS lookup converts the url to ip address, where the packets need to be sent. If the url is encrypted, the dns lookup shouldn’t work

The client makes the DNS request on the unencrypted hostname before sending the request. This is in fact the only “weak point” of this entire chain: an attacker can know what host the request was sent to, either by being able to observe DNS traffic or possibly through SNI headers in the TLS protocol or simply by guessing from the target IP address. It will not tell the attacker what URL the request contains, only the host or server. The concrete URL/path and everything else is encrypted in the HTTP request wrapped in TLS wrapped in TCP/IP.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top