
HTTPS and the illusion of privacy - Jeaye
https://blog.jeaye.com/2016/05/30/https-illusion/
======
dogma1138
Hmm the article mentions MITM but no mention of HSTS?

Also I have some big issues with this statement: >Without encryption, all of
your web browsing is to be considered public knowledge.

Even with encryption your web browsing history is "public knowledge", even
without effective MITM attacks that break HTTPS any actor that can monitor the
traffic between you and your ISP knows which websites you visit. Traffic
analysis and profiling attacks can also reveal which specific pages / content
you've visited based on statistical analysis of the request / response size,
response time, and other factors.

Effective HTTPS doesn't hide what you are looking at, it ensures that whatever
you sent and received cannot be tampered with (easily) and as well as adds
some layer of secrecy to the data you send and receive if the attacker cannot
gain it via other means.

~~~
Jeaye
Great point bringing up web browsing history; I considered mentioning
"private" modes, like Incognito Mode, but my primary concern with this post
(as a sort of PSA) was that HTTPS does not mean we should trust services.

It might be worthwhile to provide another short-and-sweet (at least, that's my
goal) post clearing up what I find to be common misconceptions about such
private modes and what they offer, including what's stored in history,
cookies, etc.

------
yompers888
This seems analogous to complaining about internet protocol for failing to
address reliable delivery; reliability is not part of the protocol, so it
would be odd to expect it. And when you do need reliability, you can elect to
use TCP, and then you have that function. If you want outside observers to not
see the connections you're making, then use a VPN. But the vast majority of
people don't care enough about hiding the destinations of their internet
traffic to bake that in to the more fundamental protocols.

I'm surprised to see this posted on such a tech-oriented site.

~~~
Jeaye
Unfortunately, I think you've missed the point. My goal was not to complain
about anything, it was to raise attention to the fact that security doesn't
mean privacy. As a tech site for all types of people, it seems to be the ideal
forum for targeting those interested in privacy who fall victim of assumptions
and misinformation regarding security.

My guess is that you don't fall into the target audience, as you already have
this knowledge.

------
blakesterz
"Security does not mean privacy."

I sometimes stumble when I try to explain how security and privacy are
different and usually I'll just explain with examples. I like these examples
here.

When browsing a website which uses HTTPS, anyone viewing your traffic will be
able to tell not only which website you’re viewing, but for how long and how
frequently. (NOT really private) Though the content between you and the
website is encrypted, (and so secure) the fact that you’re connected to the
website’s IP is to be considered public knowledge.

~~~
jdiscar
In this case, it might be easier to describe sending letters in a secret code
to your friends. Even though the mailmen can read everything on the envelope,
they can't read anything inside.

------
colmmacc
Along the same lines, this paper is a great and slightly more comprehensive
read on what TLS/HTTPS _doesn 't_ protect.

[https://www.teamupturn.com/static/reports/2016/what-isps-
can...](https://www.teamupturn.com/static/reports/2016/what-isps-can-
see/files/Upturn%20-%20What%20ISPs%20Can%20See%20v.1.0.pdf)

------
progval
> the fact that you’re connected to the website’s IP is to be considered
> public knowledge.

As well as the domain name, because of SNI (Server Name Indication)

~~~
Jeaye
Right, though the IP may be serving multiple domains. I omitted this due to
the added complexity and aim to keep the post focused on a simple assertion:
security != privacy.

------
Puts
Also note that your browser sends the referer-header even on HTTPS if you dont
explicitly tell it to not do so.

------
vince14
I thought the article would mention web of trust and the flaws with CAs.

~~~
Jeaye
That'd focus more on the security aspect, and its details, as opposed to
contrasting the security we (ideally) get with HTTPS and the privacy we hope
to get when using services.

