Data received from HTTPS is encrypted?

14

If I install SSL and use HTTPS on my site, for example, I run a POST form, the form data arrives encrypted to the server?

If yes, how to decrypt using PHP?.

    
asked by anonymous 07.02.2015 / 04:33

2 answers

21

SSL / TLS is a layer of transport-level encryption. This means that:

  • Yes, the data arrives encrypted; only the user's browser and your server have access to them, no one in the middle can see or change them without being noticed;

  • You do not need to do anything in PHP to decrypt, since PHP operates on the application layer, not on transport. As the image below shows, everything in the layers above it (including the HTTP protocol itself) continues to operate normally, without even noticing what is happening below:

    The query string and the entire body of the POST request, although encrypted in transit, will be available in their original format for your PHP code. So to access them, just do the same as you would with an unencrypted connection (i.e. a simple http:// ).

  • 07.02.2015 / 05:43
    11

    The response from mgibsonbr already explains perfectly what you want to know in this question. As I know you're interested in end-to-end encryption I'll complement something important not to use the wrong tool.

    Using HTTPS is not doing end-to-end encryption . The end-to-end concept can only be applied when encryption is used at the application layer. In theory it would be possible to apply in other layers, but given the way they work in practice, it is not possible without making a beautiful one of a gambiarra that makes no sense. At least, I can not see it any other way.

    Using HTTPS in the way it works today means that there will be an intermediate, at some point there will be decrepit information by an agent other than the terminals. As said in the other answer the application does not have to deal with encryption and in general nor that the data has traveled encrypted, it is totally transparent. Even if PHP code immediately encrypts again, privacy and data authenticity guarantee is already compromised - even if nothing bad is done with it.

    Regardless of whether you want to use end-to-end , it's a good idea for developers to know that HTTPS only guarantees secure data transport. When the data becomes available to the application, there is no security, a compromised server or an application that leaves loopholes can expose data without any security. And this is a very common misunderstanding. There is a false security impression when HTTPS is used.

    There is no half security

    Either it's safe or it's insecure. Being insecure for a fraction of a second is enough to classify something as insecure. Any breach in the server's application or compromise (even by authorized access) may allow access to information that is readily available without encryption.

    And key-dependent encryption needs to have the key securely tested. It is no use encrypting something and making the keys available in the same environment or another compromised environment. If you can decrypt, you need to have all the keys in that environment.

    This is generally not considered a problem. There is awareness that there is total security on the server. When you are not wanting to reach E2E this is no problem. But when the goal is E2E only the tips can be vulnerable. And it is good to know that this has no solution. E2E can only guarantee that there will be no access during the whole communication process, when it arrives at the end you can no longer guarantee anything.

        
    07.02.2015 / 14:19