Monday, December 07, 2015

Ruminating on SSL and encrypted URLs

Recently, a colleague of mine asked an innocuous question that was quite interesting. We all knew that SSL protects the URL and hence it is not possible to snoop details out of the URL - for e..g GET params, resource path on server, etc.

But if the URL is encrypted by SSL, how does DNS work? How will the DNS server route the request to the right server?

The way it happens is as below:

  1. When a HTTP client (browser / API client) makes a request to a HTTPS URL, it only send the server name part of the URL to the DNS server. For e.g. if you are making a request to https://myserver.com/secret_path/secret_resource, then the HTTP client would only send 'myserver.com' to the DNS server for lookup. 
  2. The DNS server responds back with the actual IP address of the server. 
  3. The HTTP client then makes a call to the server using the IP address. What follows is the SSL handshake protocol and a secure connection is established with the server.
  4. Then the HTTP server makes a request for the actual resource on the secure pipe/tunnel. 

Quite simple actually, if you break down the steps :)