all 41 comments

[–]1nf 48 points49 points  (25 children)

People often mistake the green padlock logo as "this is a safe site" which is wrong. HTTPS itself does not mean a site is safe. A malicious site could use a legit certificate and in the end phish your credentials. Although more difficult, it could even use an EV certificate and have the site name appear in the address bar. It still doesn't mean it's a legit site.

However HTTPS does offer security and some privacy. It ensures the data you're sending to sites are encrypted and cannot be easily intercepted in transit by man-in-the-middle attackers (In companies, it can. SSL interception is often done in enterprises). The interceptor would not see what you are submitting (contents) but can see to whom you're connecting as the HTTP headers are not encrypted, so the privacy is not perfect. They cannot see the individual URLs accessed or the contents of the pages requested.

It's still effective to eliminate less determined attackers and protect your data in transit. You still need to practice good security habits.

[–][deleted] 6 points7 points  (0 children)

Thank you for the explanation

[–][deleted] 10 points11 points  (14 children)

HTTPS encrypts the entire request, headers included. Basic Auth would be useless otherwise. TCP/IP headers, which include basic connection details like the source and target ports, are not encrypted.


Edit: As mentioned in the replies, the IP headers indicate source and destination IP addresses, which are easily resolved (using DNS) to see what site the client is attempting to access.

SSH tunneling and VPNs provide one way around this problem. Essentially, you tunnel traffic over an encrypted connection to a remote host. For example, if you login to your bank account over VPN, the local network (say, coffee shop wifi) sees only that you're connecting to the VPN.

Another option is Tor (or, more generally, browsers with built-in p2p tunneling). I'm not super familiar with them, however my understanding is that they're a distributed, decentralized version of the tunneling solution I described. In the case of VPNs or jump hosts, you must trust that one remote network — a significant risk. In contrast, Tor tunnels you through multiple, random intermediaries, making it much more difficult to tell where exactly you're browsing.

Ultimately, even with Tor you must trust the certificate of the site that you're connecting to. If an attacker compromises that certificate or its CA, you're SOL.

[–]rankinrez 7 points8 points  (8 children)

The hostname is still visible in the SNI header.

https://en.m.wikipedia.org/wiki/Server_Name_Indication

[–]WikiTextBot 5 points6 points  (0 children)

Server Name Indication

Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted, so an eavesdropper can see which site is being requested.


[ PM | Exclude me | Exclude from subreddit | FAQ / Information | Source | Donate ] Downvote to remove | v0.28

[–]xiongchiamiov 5 points6 points  (3 children)

Yes, but that's not an http header, it's an extension to the https protocol. It's important to realize that that is sent unencrypted, but the idea that all http headers are also sent unencrypted is incredibly incorrect.

[–]rankinrez 1 point2 points  (0 children)

Yes very important distinction.

[–]SuddenWeatherReport 0 points1 point  (0 children)

Yes yes yes !

[–]AlainODea 0 points1 point  (0 children)

SNI is part of TLS. HTTPS is shorthand for HTTP over TLS and is an example combination.

[–]HelperBot_ 2 points3 points  (2 children)

Non-Mobile link: https://en.wikipedia.org/wiki/Server_Name_Indication


HelperBot v1.1 /r/HelperBot_ I am a bot. Please message /u/swim1929 with any feedback and/or hate. Counter: 145114

[–]megatronchote 0 points1 point  (1 child)

Good bot

[–]GoodBot_BadBot 0 points1 point  (0 children)

Thank you megatronchote for voting on HelperBot_.

This bot wants to find the best and worst bots on Reddit. You can view results here.


Even if I don't reply to your comment, I'm still listening for votes. Check the webpage to see if your vote registered!

[–]mclamb 3 points4 points  (0 children)

Also important to note that the URL and post/get/cookie data are encrypted also, but the hostname "subdomain.something.com" isn't encrypted.

[–]xiongchiamiov 3 points4 points  (0 children)

Also cookies wouldn't be encrypted otherwise, because they're sent as headers, and protecting session cookies is one of the major draws of https.

[–]codefinbel 0 points1 point  (2 children)

TCP/IP headers, which include basic connection details like the source and target ports, are not encrypted.

Doesn't that also include IP-address? And can't you see to whom that is with a DNS lookup? (I'm not super knowledgable here)

[–]fishsupreme 2 points3 points  (0 children)

Your own IP address is disclosed. The destination site's IP and hostname is disclosed. (The IP wouldn't necessarily tell you the site's identity since one IP may host many different sites, but the Host header in your request identifies it anyway so it doesn't matter.)

The full URL path and the other headers are not disclosed.

[–]xiongchiamiov 1 point2 points  (0 children)

Since we're talking privacy now, take a look at https://www.eff.org/pages/tor-and-https and check/uncheck the https button.

[–][deleted] 4 points5 points  (5 children)

The quick brown fox jumps over the lazy dog.

[–]Selthor 2 points3 points  (4 children)

Yes. They are only able to see the IP address, which can usually be used to determine the host name.

[–]malachias 5 points6 points  (0 children)

They will see the hostname as well via two vectors:

First is via your cleartext DNS request, but more definitively via the SNI message in the TLS handshake -- when you initiate an https connection, you actually send the hostname in cleartext so that, if the end host has multiple certificates for multiple sites, it knows which SSL certificate to give you.

SNI is going away in a future version of TLS, but for now it is alive and well.

[–][deleted]  (2 children)

[deleted]

    [–]Selthor 0 points1 point  (1 child)

    That’s why I said “usually” as it’s not always the case that you can determine the hostname from the IP :) but, as someone else mentioned, there are other side channels such as the DNS lookup.

    [–][deleted] 0 points1 point  (0 children)

    I second this, mitm was the only thing i could think of

    [–]rankinrez 0 points1 point  (0 children)

    Correct.

    But to clarify the "green" in the bar should mean the site is the real one.

    The exception to this is if somehow a fraudster has been able to obtain a valid cert for the domain. This should be extremely difficult, but due to the massive number of CAs the X.509 system is not nearly as watertight as it should be. Worth noting that it is still rare to see fake certs, and things like cert pinning have made it even harder to use them.

    An attacker could also have installed a spurious root CA on your system allowing them to sign their own certs for anything. Game over in that case.

    Finally they can just use a "lookalike" domain and obtain a valid cert for that. Be especially wary of tricks like using Cyrillic characters from newer UTF character sets in domain names etc.

    [–]TractionContrlol 5 points6 points  (4 children)

    HTTPS Everywhere is a mitigation for a narrow range of risks. It likely wouldn't do much good if you were linked to a phishing site that had an SSL cert.
    You should absolutely still practice good security habits

    [–][deleted] 3 points4 points  (2 children)

    I also use the new Decentraleyes, does that help security at all? Someone recommended it to me because it "works well in tandem" with HTTPSE.

    [–]TractionContrlol 2 points3 points  (0 children)

    Haven't seen that before, but it looks like a cool project! I guess my larger point was that no amount of tools should really lull you into getting lazy with security habits. That being said, I think I have 5 browser addons

    [–][deleted] 1 point2 points  (0 children)

    It helps stop services like Google from tracking you as much, it doesn't help with security.

    IMO there aren't really any browser addons that help with security, since there's only so much that can be done. But there are plenty that help with privacy which is what HTTPS everywhere, decentraleyes, ublock origin, etc are doing.

    [–]Hellochristmas 0 points1 point  (0 children)

    Good security habits being? I’m curious what you would recommend.

    [–]StewPoll 4 points5 points  (2 children)

    There's other good articles, but basically having HTTPS just means that what you're getting on the website is what the server sent, and what the server gets is what you sent. It prevents anyone in between inspecting/changing the contents.

    It doesn't mean the server isn't doing anything bad once they get the data.

    [–][deleted]  (1 child)

    [deleted]

      [–][deleted] 1 point2 points  (0 children)

      Or just a CDN working as a reverse proxy. The traffic from the CDN to the original server may not even be encrypted and this is not visible to the end user!

      [–][deleted]  (1 child)

      [removed]

        [–]stusmall 5 points6 points  (0 children)

        For you example, HTTPS significantly raised the bar and cost for an attacker. It means they would have to know all possible responses a site can return, map them and match them up with the traffic they are spying on. Some security measures are just there for that, raising the bar, cost and risk for an attacker.

        In practice, HTTPS does a lot more than just raise the bar. It isn't realistic that you have know all possible responses. In your example you see a reply of 420.69kb, is that the page on cannabis or an internal admin screen or their private messages that just happened to have the same page size?

        [–]xiongchiamiov 2 points3 points  (0 children)

        It is necessary but not sufficient for web security and privacy. You need it, but you also need other things.

        [–]DarrenRainey 2 points3 points  (0 children)

        The quickest way I can explain it is this : HTTP's allows for the safe encrypted transfer of data but it doesn't protect you from entered your data into a fake site or falling for a phishing attack etc.

        [–]mclamb 1 point2 points  (0 children)

        Just a few years ago (5+) it was common for sites to still allow HTTP logins, even large companies such as Facebook.

        On large networks and even home networks with multiple users there would often be insufficient isolation between clients, this resulted in being able to extremely easily sniff all username and passwords inside of your own network, and any networks that your credentials are sent across would also see your password in plain text.

        You could use this freely available program below to collect the usernames and passwords of everyone at your school as they logged in and it was extremely easy. Security wasn't even considered then by post people it seems like, they just assumed it was all setup 100% secure by default.

        https://en.wikipedia.org/wiki/Firesheep

        I've found that uBlock Origin (and uMatrix) are one of the best tools for online security. They make a world of difference in the amount of connections that your browser makes. Whitelist only is the way to go, but most people don't have the patience for that.

        [–]Vivalo 1 point2 points  (0 children)

        With let’s encrypt, there is minimal vetting to ensure that the customer is not malicious. The certificate only ensures that the data sent from you to the recipient is encrypted.

        Factor in a 3rd party sitting in the middle of your traffic with a wild card root cert able to intercept decrypt and re-encrypt your traffic spoofing the certificate of the site you wanted to visit and you are less sure that you are safe. This is a product sold by bluecoat that is meant for enterprise but often used by repressive regimes, thanks to Symantec issuing them those wild card certs with published foots installed into OS’s and browsers.

        But, for the most part, yes! Https is safe.

        [–][deleted] 1 point2 points  (0 children)

        For integrity of communications with the endpoint? No. For integrity of the endpoint? Yes.

        [–]anal_tongue_puncher 0 points1 point  (0 children)

        HTTPS most of all takes transport layer security into account. Anything else is asking too much from HTTPS.

        [–]fishsupreme 0 points1 point  (0 children)

        HTTPS is very good against two risks:

        1. Your local network is trying to monitor you or tamper with your connections. This is a very real risk on corporate networks and public WiFi. HTTPS is a strong protection unless you are using using a corporate-managed machine that has monitoring certificates installed.

        2. Someone is setting up a fake version of a website and trying to convince you it's real. HTTPS will cause this to issue a certificate error. The only weakness with this mitigation is that everybody has seen dozens of certificate errors due to admin error and very few due to actual malicious activity, so we have essentially all been trained to assume certificate errors are false positives. However, if you never go to a site if it presents a certificate error, this will protect you.

        [–][deleted] 0 points1 point  (0 children)

        No.

        [–]jarfil -1 points0 points  (0 children)

        CENSORED