Yes your URL would be safe from sniffing; however, one hole that is easily overlooken is if your page references any third party resources such as Google Analytics, Add Content anything, your entire URL will be sent to the third party in the referer. If its really sensitive it doesn't belong in the query string.

是的，您的 URL 不会被嗅探；然而，一个容易被忽视的漏洞是，如果您的页面引用了任何第三方资源，例如 Google Analytics、添加内容等，您的整个 URL 将通过引用发送给第三方。如果它真的很敏感，它就不属于查询字符串。

As for your second part of the question, you can't use SSL if you don't have a certificate on the server.

至于问题的第二部分，如果服务器上没有证书，则不能使用 SSL。

http://answers.google.com/answers/threadview/id/758002.html

http://answers.google.com/answers/threadview/id/758002.html

HTTPS Establishes an underlying SSL connection before any HTTP data is transferred. This ensures that all URL data (with the exception of hostname, which is used to establish the connection) is carried solely within this encrypted connection, and is protected from man-in-the-middle attacks in the same way that any HTTPS data is.

All HTTP-level transactions within an HTTPS connection are conducted within the established SSL session, and no query data is transferred before the secure connection is established.

From the outside the only data that is visible to the world is the hostname and port you are connecting to. Everything else is simply a stream of binary data which is encrypted using a private key shared only between you and the server.

In the example you provide your browser would do this:

1. Derive hostname (and port if present) from URL.
2. Connect to host.
3. Check certificate (it must be 'signed' by a known authority, applied specifically to correct IP address and port, and be current).
4. The browser and server exchange cryptographic data and the browser receives a private key.
5. The HTTP request is made, and encrypted with established cryptography.
6. HTTP response is received. Also encrypted.

HTTP is an 'Application Layer' protocol. It is carried on top of the secure layer. According to the SSL specification, drawn up by Netscape, it dictates that no application layer data may be transmitted until a secure connection is established - as outlined in the following paragraph:

"At this point, a change cipher spec message is sent by the client, and the client copies the pending Cipher Spec into the current Cipher Spec. The client then immediately sends the finished message under the new algorithms, keys, and secrets. In response, the server will send its own change cipher spec message, transfer the pending to the current Cipher Spec, and send its finished message under the new Cipher Spec. At this point, the handshake is complete and the client and server may begin to exchange application layer data." http://wp.netscape.com/eng/ssl3/draft302.txt

So yes. The data contained in the URL query on an HTTPS connection is encrypted. However it is very poorpractice to include such sensitive data as a password in a 'GET' request. While it cannot be intercepted, the data would be logged in plaintext server logson the receiving HTTPS server, and quite possibly also in browser history. It is probably also available to browser pluginsand possibly even other applications on the client computer. At most a HTTPS URL could be reasonably allowed to include a session ID or similar non-reusable variable. It should NEVER contain static authentication tokens.

The HTTP connection concept is most clearly explained here: http://www.ourshop.com/resources/ssl_step1.html

HTTPS 在传输任何 HTTP 数据之前建立底层 SSL 连接。这可确保所有 URL 数据（用于建立连接的主机名除外）仅在此加密连接中传输，并以与任何 HTTPS 数据相同的方式防止中间人攻击.

HTTPS 连接中的所有 HTTP 级事务都在已建立的 SSL 会话中进行，在建立安全连接之前不会传输任何查询数据。

从外部看，世界唯一可见的数据是您要连接的主机名和端口。其他一切都只是一个二进制数据流，它使用仅在您和服务器之间共享的私钥进行加密。

在您提供浏览器的示例中，将执行以下操作：

1. 从 URL 派生主机名（和端口，如果存在）。
2. 连接到主机。
3. 检查证书（它必须由已知机构“签名”，专门用于正确的 IP 地址和端口，并且是最新的）。
4. 浏览器和服务器交换加密数据，浏览器接收私钥。
5. 发出 HTTP 请求，并使用已建立的密码术对其进行加密。
6. 收到 HTTP 响应。也是加密的。

HTTP 是一种“应用层”协议。它位于安全层的顶部。根据由 Netscape 制定的 SSL 规范，它规定在建立安全连接之前不得传输任何应用层数据 - 如以下段落所述：

“此时，客户端发送更改密码规范消息，客户端将挂起的密码规范复制到当前密码规范中。然后客户端立即根据新算法、密钥和秘密发送完成的消息。作为响应, 服务端会发送自己的change cipher spec消息，将pending转移到当前的Cipher Spec，并在新的Cipher Spec下发送其完成的消息，此时握手完成，客户端和服务端可以开始交换申请层数据。” http://wp.netscape.com/eng/ssl3/draft302.txt

所以是的。HTTPS 连接上的 URL 查询中包含的数据是加密的。然而， 在“GET”请求中包含诸如密码之类的敏感数据是非常糟糕的做法。虽然它无法被拦截，但数据将记录在接收 HTTPS 服务器的明文服务器日志中，并且很可能也记录在浏览器历史记录中。它可能也可用于浏览器插件甚至客户端计算机上的其他应用程序。最多可以合理地允许 HTTPS URL 包含会话 ID 或类似的不可重用变量。它永远不应该包含静态身份验证令牌。

HTTP 连接的概念在这里解释得最清楚：http: //www.ourshop.com/resources/ssl_step1.html

The requested URI (/test?abc=123) is sent to the web server as part of the HTTP request header and thus encrypted.

请求的 URI (/test?abc=123) 作为 HTTP 请求标头的一部分发送到 Web 服务器并进行加密。

However URLs can leak in other ways, usually web browser toolbars, bookmarks, and sending links to friends. POSTing data may be more appropriate depending on the context/sensitivity of the data you're sending.

但是，URL 可能会以其他方式泄漏，通常是 Web 浏览器工具栏、书签和向朋友发送链接。根据您发送的数据的上下文/敏感性，发布数据可能更合适。

I believe an HTTPS connection requires an SSL certificate, even a self-generated one if you don't want to buy one.

我相信 HTTPS 连接需要 SSL 证书，如果您不想购买，甚至是自行生成的证书。

Hope that helps a bit!

希望那有所帮助！

depends on what you mean by safe

取决于你所说的安全是什么意思

SSL encrypts the entire HTTP request/response, so the URL in the GET portion will be encrypted. This does not stop MITM attacks and corruption of the integrity of the SSL session itself. If a non-authoritative certificate is used, this makes potential attack vectors simpler.

SSL 加密整个 HTTP 请求/响应，因此 GET 部分中的 URL 将被加密。这不会阻止 MITM 攻击和破坏 SSL 会话本身的完整性。如果使用非权威证书，这会使潜在的攻击媒介更简单。

Are REST request headers encrypted by SSL?

REST 请求标头是否由 SSL 加密？

Is a similar question.

是一个类似的问题。

The url:s will be stored both in the server logs and in the browser history so even if they aren't sniffable they are far from safe.

url:s 将同时存储在服务器日志和浏览器历史记录中，因此即使它们不可嗅探，它们也远非安全。

On the wire, yes. At the end points (browser and server) not necessarily. SSL/TLS is transport layer security. It will encrypt your traffic between the browser and the server. It is possible on the browser-side to peek at the data (a BHOfor example). Once it reaches the server-side, it is available to the recipient of course and is only as secure as he treats it. If the data needs to move securely beyond the initial exchange and protected from prying eyes on the client, you should also look at message layer security.

在电线上，是的。在端点（浏览器和服务器）不一定。SSL/TLS 是传输层安全。它将加密您在浏览器和服务器之间的流量。可以在浏览器端查看数据（例如BHO）。一旦它到达服务器端，它当然对接收者可用，并且只有他对待它时才安全。如果数据需要安全地移动到初始交换之外并防止被客户端窥探，您还应该查看消息层安全性。

The SSL/TSL is a Transport Layer Security, yes the data can be picked with BHO (as @JP wrote) or any add on but also with "out of browser" HTTP sniffers. They read messaging between winsock32 and the application. The encryption takes place in the winsock32 not in the browser.

SSL/TSL 是一种传输层安全性，是的，可以使用 BHO（如@JP 所写）或任何附加组件来获取数据，但也可以使用“浏览器外”HTTP 嗅探器来获取数据。他们读取 winsock32 和应用程序之间的消息。加密发生在 winsock32 中，而不是在浏览器中。

Take a look (this part was taked from the page of IEinspector): IEInspectorHTTP Analyzer is such a handy tool that allows you to monitor, trace, debug and analyze HTTP/HTTPStraffic in real-time.

看一看（这部分取自 IEinspector 的页面）： IEInspectorHTTP Analyzer 是一个非常方便的工具，它允许您实时监控、跟踪、调试和分析 HTTP/ HTTPS流量。