Does data received from HTTPS come encrypted?

Asked

Viewed 500 times

15

If I install certificate SSL and use HTTPS on my website, for example, I run a form POST, form data arrives encrypted to the server?

If yes, how to decrypt using PHP?.

2 answers

23


SSL/TLS is a transport-level encryption layer. This means that:

  1. Yes, the data arrives encrypted; only the browser user and their server have access to them, no one in the middle of the way can see them or change them without being noticed;

  2. Nothing needs to be done in PHP to decrypt, as PHP operates on the application layer, not the transport layer. As the image below shows, everything that is in the layers above it (including the HTTP protocol itself) continues to operate normally, without even knowing what happens underneath:

    Diagrama mostrando o posicionamento do Tls em relação ao TCP e HTTP/FTP/SMTP

    To query string and the entire body of the POST request, although encrypted in transit, will be available in its original format for your PHP code. So to access them, just do as you would with an unencrypted connection (i.e. a simple http://).

  • 1

    simpler and illustrative would be difficult. Congratulations

11

The mgibsonbr answer already explains perfectly what you want to know in this question. How do I know you are interested in encryption end-to-end I will complement something important to not use the wrong tool.

Using HTTPS is not doing encryption end-to-end. The concept end-to-end can only be applied in fact when the encryption is used in the application layer. In theory it would be possible to apply in other layers, but, given the way they work in practice, it is not possible without making a beautiful of a gambiarra that does not make any sense. At least I can’t see any other way.

Using HTTPS in the way it works today means there will be an intermediary, at some point there will be a decrease of information by an agent that is not the terminals. As was said in the other reply the application does not have to deal with encryption and in general nor that the data trafficked encrypted, is fully transparent. Even if the PHP code immediately re-encrypts, the privacy and authenticity guarantee of the data is already compromised - even if nothing bad is done with it.

Whether you want to use end-to-end, it is good that all developers know that HTTPS only ensures the safe transport of data. When the data becomes available to the application, there is no security, a compromised server or an application that leaves gaps can expose data without any security. And this is a very common misconception. There is a false security impression when HTTPS is used.

There is no half security

It’s either safe or it’s insecure. Being insecure for a small fraction of a second is enough to classify something as unsafe. Any application breach or server compromise (even through authorized access) may allow access to information that is quickly available without encryption.

And key-dependent encryption needs to have the key proven securely. It is no use to encrypt something and make the keys available in the same environment or another environment also compromised. If you can decrypt, you need to have all the keys in that environment.

This is generally not considered a problem. There is awareness that there is no full security on the server. When you are not wanting to reach E2And this is no problem. But when the goal is E2E only the tips can be vulnerable. And it’s good to know this is hopeless. E2E can only guarantee that there will be no access during the whole communication process, when it arrives at the tip no more can guarantee anything.

  • This was clear, but Oce opened me a gap, see according to this question that I had this doubt http://answall.com/questions/28828/como-o-https-ssl-works

  • And according to what he explains the traffic is safe, with HTTPS/SSL it does not pass for more people besides Alice and Bob, now the fact that the data is decrypted by 1 Million second... It may break the logic of the end-to-end, but the server will still be encrypting everything (okay, it broke the logic of the end-to-end) but the security continued, explain me more why the data is unsafe, why ? and how could anyone spoil it? was confused I believe you understand my doubt

  • There is no half security, or it is safe or it is not. When you get the HTTPS response from PHP the security ends there. even if you re-encrypt, even if this happens in a fraction of a thousandth of a second, if your application has some loophole, if your server is compromised (and it may be compromised by itself, you may be saying that it is all secure but may be spying), it is possible to take the data without encryption. Just the fact that I arrive at a server that I have no control over I already know I can’t trust any privacy there.

  • I know that I run the risk of my information being leaked regardless of the will of the server maintainer (and he may have the will, no one can guarantee me that). If you are unsure for a slight moment you are unsure. Of course, someone can only gain some information if they have access to the server. The problem is that it is more frequent than should those who have the ability to access the servers improperly.

  • I understood perfectly what I said and fully agree (because I explained it well) and the bridge between the final user and the initial is broken there, I understood. If we take this into account (we should) there is no security on the internet.. or there is some way to fix this "spring break" ?

  • In a way, nothing is safe unless every precaution is taken. The amount of servers that are running with intruders is enormous. It seems rare but there are cases of servers running years like this and nobody notices.

  • and you can let me know if there is any precaution in this case?

  • 1

    There is but one complex thing to answer here. It involves an in-depth study on the subject of security, which I am not an expert on. When you want security you need to hire someone who has proven competence. Even so there are no guarantees.

  • I confess that I was a little confused when you said that HTTPS was not end-to-end, only after reading the comments I think I understand: if the site/application is hosted on a server third-party, these have access to the decrypted data. Right? But let’s say that a company has its own server, in its own dependencies, in this case we can consider that the encryption was end-to-end, or there’s something else I’m missing?

  • (In time: if you don’t trust your hosting provider, nothing you do will guarantee security, because how to know if that server is actually running your code?)

  • That’s where it gets a little confusing. Have you read this? http://answall.com/a/49722/101. To what extent this can be considered end-to-end? I even gave an example of a situation that the server can be considered a terminator in communication. Note that although it is not clear in this question, he is interested in something with another context. That’s the last comment you made about security end-to-end. This concept determines that effectively only those parties that should have access to information have this access. This is only possible if there really are no intermediaries...

  • with access to flat information, the simple fact that you have the server in a datacenter He no longer gives you this assurance. You can trust him, but there is no guarantee that someone will access the server and take over information that is free at some point. There is no guarantee that someone with a warrant will access the server. The only guarantee is when only the tips even have access. Of course they may be compromised as well, they may be required to use their key and reveal the information by mandate, but not through intermediaries. @mgibsonbr

  • Thanks for the clarification, in fact I had misunderstood what it meant end-to-end...

Show 8 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.