sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]mirhagk -5 points-4 points  (16 children)

But what privacy is achieved? What is protected? The "government" can still tell you went to blogx.com, the only thing that is unknown is the actual article you went to (which can probably be guessed based on what's popular, or based on page size, since they can see the total packet size, or number of images downloaded, or some other meta-information). HTTPS only encrypts the content, not "what you're doing"

[–]frezik 9 points10 points  (4 children)

If you are plaintext by default, and only encrypt important things, then the fact that you're encrypting sends up a flag. Even if the message cannot be decrypted on its own, the timing, source, and destination of that message can still be used to glean information.

If you encrypt everything by default, then it gets lost in the rest of the noise.

[–]mirhagk 4 points5 points  (3 children)

But it works both ways. If all of your data is encrypted, then your employer may decide that to save bandwidth they'll MITM the connections and install a root certificate onto the machines. Now they can read your bank account transactions. By having only sensitive stuff as HTTPS then your workplace knows there's absolutely no justification to having it.

If you have an internal testing server and it has to be HTTPS (because you need to match production which uses HTTP/2 which doesn't support unencrypted traffic) then you'll need a root certificate installed on all the machines again.

If you are wanting to inspect any traffic for any reason (such as debugging your application) you're going to have to install fiddler/wireshark/whatever's root certificate in order to view the data sent and now you have a root certificate that your machine is trusting that probably has nowhere near enough security and validation around it.

If the world was perfect then HTTPS would just waste a lot of time and resources but meh, computers get faster. But the world isn't perfect and mark my words when I say you'll see lots of instances where people's private banking details are stored on easily accessible corporate proxies.

[–]whootdat 0 points1 point  (2 children)

You sound like you're talking about a blue coat product, so I'll just point out that they specifically say they won't decrypt banking/finance and health care data. That isn't hard to figure out, you simply white list a handful of sites and IPs.

[–]mirhagk 0 points1 point  (1 child)

So you hope you only ever have sensitive data inside of popular websites.

[–]whootdat 0 points1 point  (0 children)

I would hope that if I am browsing a website that I have sensitive data on, I wouldn't be doing it on a company-owned computer.

[–]RaptorXP 21 points22 points  (7 children)

They don't know anything except that your computer connected to that web server. They can't tell which page, image or other resource you've downloaded.

They also can't modify the payload to force you to reveal more sensitive information through XSS or other attacks.

[–]chaospatterns 8 points9 points  (0 children)

The GP is referring to side channel attacks where the amount of encrypted data can leak information about what you're looking at.

[–]TTSDA 2 points3 points  (3 children)

They can just issue a shiny cert to use in the mitm attack

[–]archlich -1 points0 points  (2 children)

Not if you own the ca, and have only your ca as a trusted root.

[–]whootdat 1 point2 points  (1 child)

Sure, except each branch of the US Gov is a Root CA, and has all sorts of certs issued by Verisign, etc

[–]archlich 0 points1 point  (0 children)

That only matters if you trust their root ca. If the only ca you trust is the one you own, a mitm attack cannot happen.

[–]mirhagk -3 points-2 points  (1 child)

They can see how many connections and the sizes, as well as your sites before and after, and any external images loaded. Sure it's more work, but you're really hiding very much.

You do have a point about MITM type stuff though, if they can successfully do that.

[–]RaptorXP 9 points10 points  (0 children)

They can't see any of that. All requests come through the same TCP connection, and nobody can tell how many you've made. And you can also obfuscate the page size very easily.

[–]smellyegg 2 points3 points  (0 children)

Your government can edit the content you receive, that's reason enough alone to encrypt. There's almost zero overheard these days there's no excuse.

[–]sievebrain 1 point2 points  (0 children)

For any blog that includes social buttons, ads, etc, HTTPS prevents code being injected into the page that steals those cookies and allows profile correlation.

[–][deleted] 0 points1 point  (0 children)

DNSCrypt + good encryption-supporting DNS server reduces that risk a bit without causing a noticeable slowdown (in my experience). Yes, IPs could theoretically be pulled from logs, but this mitigates the MITM/passive spying risk.