SEARCH

How-To Geek

Can Third Parties Read the Full URL When Browsing via HTTPS?


When you’re securely visiting a website via https:// the data sent between the server and your browser is encrypted but what about the URLs you’re visiting within the site? Can your ISP or other third party observer see what you’re looking at?

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

An anonymous SuperUser reader wants to know if their browsing sessions are completely secure:

We all know that HTTPS encrypts the connection between the computer and the server so that it cannot be viewed by a third party. However, can the ISP or a third party see the exact link of the page the user accessed?

For example, I visit:

https://www.website.com/data/abc.html

Will the ISP know that I accessed */data/abc.html or just know that I visited the IP of www.website.com?

If they know, then why does Wikipedia and Google have HTTPS when someone can just read the internet logs and find out the exact content the user viewed?

An interesting question that certainly has implications for personal privacy. Let’s investigate.

The Answer

SuperUser contributor Grawity offers a very concise overview of how the full URL is processed along the way:

From left to right:

The schema https: is, obviously, interpreted by the browser.

The domain name www.website.com is resolved to an IP address using DNS. Your ISP will see the DNS request for this domain, and the response.

The path /data/abc.html is sent in the HTTP request. If you use HTTPS, it will be encrypted along with the rest of the HTTP request and response.

The query string ?this=that, if present in the URL, is sent in the HTTP request – together with the path. So it’s also encrypted.

The fragment #there, if present, is not sent anywhere – it’s interpreted by the browser (sometimes by JavaScript on the returned page).

In short, everything to the right of the domain name is encrypted by the HTTPS session and remains invisible to your ISP or anyone else peeking in your activities.


Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 03/21/13

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!