On Thu, 25 Nov 2010 12:07:16 +0100, Arthur Bela wrote: > On 25 November 2010 12:01, Camaleón wrote:
>>> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see >>> THISSITE.COM/SOMELINK.html ? >> >> Well, I think yes, the URI could be displayed/retrieved. It is >> registered in plain text in web server logs. > I meant someone is sniffing the "connection" between my pc, and the > server, not the server admin. :O Mmmm, by logic (but I can be wrong, though), if Apache stores the information in plain text there are many chances it can be also fetched by man-in-the-middle attacks. > So if someone is sniffing the connection it can only see that, i'm > visiting https://THISSITE.COM, and it can't see, that I visit > https://THISSITE.COM/SOMELINK.html Look: http://en.wikipedia.org/wiki/HTTP_Secure#Limitations "(...) and in some cases the URI of the encrypted resource can be inferred by knowing only the intercepted request/response size..." Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2010.11.25.11.40...@gmail.com
