https - what exactly is encoded?

If I (ahem I mean a friend of mine) visit a https site and say click on and download boobies.jpg or similar,

(i) is the jpg file itself encrypted?
(ii) can my ISP (say for instance at work) tell the name of the file as I request it, or even that info encrypted?

yours in innocence

or is it only forms that are encrypted?

Any time your browser makes a request via HTTPS, the request and the response are both encrypted (which would entail them also being encoded.)

Your ISP, if they wanted, could tell what sites your friend was visiting by examining the IP traffic, but would not be able to decipher the HTTPS requests.

Now then, the specific answer depends on how the site is built. It’s very possible that the site returns some HTML for a given request via HTTPS, but that HTML contains links to images via plain HTTP. In that case the images would be sent in the clear. However, most browsers will issue a warning if a page mixes secure and insecure data.

What friedo said.

I went on a course that explained this sort of thing but I’ve since forgotten most of it. However, your ISP will be able to see the URL that you’ve been to - - if this is a static page, they can stick that URL in their browser and get the same thing.

They can’t decipher what’s on that page by looking at what was sent to you, but they can look themselves. This is why it works for forms - the ISP or whatever won’t see your information displayed on their screen if they go to the same page - they’d need to decipher what was passed originally. Which they can’t.

many thanks. I guess my friend wont be browsing at work then as it is still not safe enough.
However I am confused between the two answers. is the site which the ISP could tell he went to, but could it tell that he accessed the subdirectory ?

If the link is to and not, then anyone watching the raw IP traffic should only be able to see that you are requesting something from, but not know it was xzy. This is because the entire channel is encrypted, including your request for the specific document.

Of course, all bets are off in an office LAN environment. They could have a key logger or something installed on your PC and just get the data that way.

great - exactly what I needed to know.

Actually they can’t even do that. They can tell you made an HTTPS request to, but they can’t get the path information. That’s part of the HTTP request and is encrypted.