|How does ssl work?
Detailed SSL – Step 1 Determine Secure Communication
( updated 2004-01-15 )
This is page 2 of our SSL articles. You can go back to the SSL overview by clicking here.
Internet communication typically runs through multiple program layers on a server before getting to the requested data such as a web page or cgi scripts.The outer layer is the first to be hit by the request. This is the high level protocols such as HTTP (web server), IMAP (mail server), and FTP (file transfer).Determining which outer layer protocol will handle the request depends on the type of request made by the client. This high level protocol then processes the request through the Secure Sockets Layer. If the request is for a non-secure connection it passes through to the TCP/IP layer and the server application or data.If the client requested a secure connection the ssl layer initiates a handshake to begin the secure communication process. Depending on the SSL setup on the server, it may require that a secure connection be made before allowing communication to pass through to the TCP/IP layer in which case a non-secure request will send back an error asking for them to retry securely (or simply deny the non-secure connection).
This question is usually geared toward whether or not the path and query string is encrypted in an HTTPS “get” request (this is where form field responses or program variables are tagged on to the end of the url). These fields are stripped off of the URL when creating the routing information in the https packaging process by the browser and are included in the encrypted data block.
The page data (form, text, and query string) are passed in the encrypted block after the encryption methods are determined and the handshake completes.
A related issue that frequently comes up is whether or not form data is transmited with encryption if the blank form is displayed without https. If the form “action” is set to use https then the ssl handshake will take place before the data is sent. Whether or not the original form is displayed using https has little to do with the form submission unless the form action uses a relative path, in which case the default will be to use the protocol that was used to display the form.
This applies to both the request and the response.