HTTPS Establishes an underlying SSL conenction before any HTTP data is
transferred. This ensures that all URL data (with the exception of
hostname, which is used to establish the connection) is carried solely
within this encrypted connection and is protected from
man-in-the-middle attacks in the same way that any HTTPS data is.
All HTTP-level transactions within an HTTPS connection are conducted
within the established SSL session, and no query data is transferred
before the secure connection is established.
From the outside the only data that is visible to the world it the
hostname and port you are connecting to. Everything else is simply a
stream of binary data which is enctypted using a private key shared
only between you and the server.
In the example you provide your browser would do this:
1) Derive hostname (and port if present) from from URL.
2) Connect with to host.
3) Check certificate (it must be 'signed' by known authority, apply
specifically to correct IP address and port, and be current).
4) The browser and server exchange cryptographic data and the browser
receives a private key.
5) The HTTP request is made, encrypted with established cryptography.
6) HTTP response is received. Also encrypted.
HTTP is an 'Application Layer' protocol, it is carried on top of the
secure layer. According the SSL specification, drawn up by Netscape,
dictates that no application layer data may be transmitted until a
secure connection is established - as outlined in the following
"At this point, a change cipher spec message is sent by the client,
and the client copies the pending Cipher Spec into the current Cipher
Spec. The client then immediately sends the finished message under
the new algorithms, keys, and secrets. In response, the server will
send its own change cipher spec message, transfer the pending to the
current Cipher Spec, and send its finished message under the new
Cipher Spec. At this point, the handshake is complete and the client
and server may begin to exchange application layer data."
So yes. The data contained in the URL query on an HTTPS connection is
encrypted. However it is very poor practice to include such sensitive
data as a password in the a 'GET' request. While it cannot be
intercepted, the data would be logged in plaintext serverlogs on the
receiving HTTPS server, and quite possibly also in browser history. It
is probably also available to browser plugins and possibly even other
applications on the client computer. At most an HTTPS URL could be
reasonably allowed to include a session ID or similar non-reusable
variable. It should NEVER contain static authentication tokens.
The HTTP connection concept is most clearly explained here: