101 · Question #583
Without decrypting, what portion of an HTTPS session is visible with a packet capture?
The correct answer is A. Source IP Address. TLS encrypts the HTTP application layer payload, but the IP and TCP headers remain in plaintext and are visible in a packet capture without decryption.
Question
Without decrypting, what portion of an HTTPS session is visible with a packet capture?
Options
- ASource IP Address
- BHTTP Request Headers
- CCookies
- DHTTP Response Headers
How the community answered
(35 responses)- A86% (30)
- B3% (1)
- C9% (3)
- D3% (1)
Why each option
TLS encrypts the HTTP application layer payload, but the IP and TCP headers remain in plaintext and are visible in a packet capture without decryption.
The source IP address resides in the IP header, which is outside the TLS encryption envelope. TLS only encrypts the application-layer payload (HTTP request/response headers, body, cookies), so network-layer addressing information like source and destination IP addresses are always visible in a packet capture.
HTTP request headers are part of the application-layer payload and are fully encrypted inside the TLS record, making them unreadable without the session keys.
Cookies are transmitted within HTTP headers or the request body, both of which are encrypted by TLS and not visible in a packet capture without decryption.
HTTP response headers are part of the TLS-encrypted payload and cannot be read from a packet capture without decrypting the TLS session.
Concept tested: TLS encryption scope and visible packet fields
Source: https://www.rfc-editor.org/rfc/rfc8446
Topics
Community Discussion
No community discussion yet for this question.