Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are you sure? I just did a quick test with Fiddler and didn't see the credentials there. I only see them when I enable HTTPS decryption.


RFC 2818 says the following:

   Conceptually, HTTP/TLS is very simple. Simply use HTTP over TLS
   precisely as you would use HTTP over TCP.
TLS is meant to be transparent to the higher level protocol - in other words, independent of HTTP. The headers should be encrypted also.

For a long time, I also believed that the URL would not be encrypted (e.g. GET /example/url.htm), but as it's running as a transparent connection then this is also encrypted. I had to check this to see if GET requests with session IDs would be vulnerable over the wire - I was quite relieved when I realised my assumptions were wrong! Also meant I had to read a few specs :-)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: