Are there any security concerns with this? Is the URL of a GET request over SSL encrypted as well as the payload? I assume it must be if they are sending credit card information that way?
SSL/TLS is at a lower level than HTTP. The whole connection is secure as all the encryption is set up before the HTTP request is even sent. This is why SSL used to always require a dedicated IP address - The server didn't even know what domain you were going to while the connection was being set up (as the host name is in the HTTP headers) so you could only have one SSL certificate per IP address.
Server Name Indication (http://en.wikipedia.org/wiki/Server_Name_Indication) works around this by sending the host name during the TLS handshake, so that multiple domains can use SSL on the same IP address. In this case, only the host name is sent in the clear. The whole HTTP request and response are still encrypted.
If only all browsers supported SNI. The Android 1.x/2.x browser annoyingly doesn't (it's actually the fault of the Java Apache HttpClient). And ~75% of Android users are stuck on it.
Almost right. The entire URL, including the hostname, is "encrypted," but you still have to have the IP address of the machine you're talking to, which means your machine will probably be doing (unencrypted) DNS lookups and will send encrypted packets to the target's IP address.
Attackers can see the hostname of the machine you're talking to, but not because it's an "unencrypted" part of the SSL packet somehow.
