Hacker News new | past | comments | ask | show | jobs | submit login

Yes, great point. But I said _easier_, not _easy_. Using HTTPS, a user may have a more outdated version of the Tor browser with different cipher suites than everyone else. Using plain HTTP, that can't happen.

> unless someone at the Tor project massively screws up

And that is what the author of the article is claiming.

My comments here aren't in agreement with the author of the article, and I'm not claiming "HTTPS is bad" or anything like that. It's simply a categorical fact that HTTPS has more vectors to be fingerprinted than HTTP.

But of course, as you mentioned, features enabled by Javascript are the bigger problem, which is why users who wish to be anonymous should completely disable it!

Adding HTTPS plausibly adds a single low-cardinality signal but it removes a ton of other ones for network-level observers. When it comes to hostile site owners, realistically you're screwed but from a privacy perspective it's a question of whether you're one of the small percentage of users who have a) failed to install updates and b) disabled JavaScript.

That's a pretty small percentage of users for whom HTTPS isn't an across-the-board win for privacy.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact