Timeline for Does HTTPS encryption on a site prevent the NSA from knowing you visited its domain / the URL?
Current License: CC BY-SA 3.0
19 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 17, 2017 at 10:46 | history | edited | CommunityBot | replaced http://security.stackexchange.com/ with https://security.stackexchange.com/ | |
| Jan 8, 2015 at 23:49 | comment | added | dave_thompson_085 | @Fabio one handshake with ServerNameIndication can and does support multiple domains on the same IP/port (not just machine); multiple handshakes without SNI can't select the cert and thus couldn't work even if anyone did them which no one does because they can't work. The only time multiple handshakes are used is to workaround broken version negotiation, see POODLE. | |
| Jan 8, 2015 at 23:12 | comment | added | reirab | @Thebluefish yes, I mentioned that in my answer. | |
| Jan 8, 2015 at 23:10 | comment | added | user41341 | @reirab but DNS queries are not secured. If I make a DNS query for google.com and it can't find the host locally, it's going to make the query externally which isn't secured. Reverse-IP is also possible in this case. | |
| Jan 8, 2015 at 23:09 | comment | added | Fabio Beltramini | - HTTPS does encrypt the host - Browsers do NOT send referrer information over HTTP when the request originates from an HTTPS page - It's all moot because your DNS queries are not encrypted, so the host was already visible before HTTPS came into play (or could be inferred from the remote IP + a reverse DNS lookup as The Spooniest pointed out) | |
| Jan 8, 2015 at 21:47 | comment | added | wireghoul | -1 Your answer has some technical inaccuracies and you are completely disregarding traffic analysis against SSL packets which can let you determine which urls are visited based on things like the SSL packet size alone. You can see a demo at 24:45 in this youtube video: youtube.com/watch?v=N9gzxB80fxs | |
| Jan 8, 2015 at 21:14 | comment | added | reirab | HTTPS does encrypt the hostname. The entire stream is encrypted. This is why you can't host multiple sites using different domain names on the same IP/port combination with HTTPS like you can with HTTP. | |
| Jan 8, 2015 at 18:20 | comment | added | limbenjamin | @Bruno updated, thanks for pointing it out, it should be an approximate length | |
| Jan 8, 2015 at 18:18 | history | edited | limbenjamin | CC BY-SA 3.0 | added 12 characters in body |
| Jan 8, 2015 at 18:14 | comment | added | limbenjamin | @Paulo From what I know, referer header is set only when navigating to a new page. I just checked and chrome does not set referer for cross site resources. | |
| Jan 8, 2015 at 16:18 | comment | added | Paŭlo Ebermann | Are you sure that there are no Referrer-headers to xsite? (I guess this might depend on the browser.) | |
| Jan 8, 2015 at 15:04 | comment | added | Bruno | "The length of the URL path is visible to all eavesdroppers". How? Sure, rough guesses can be made from the size of the encrypted packets, but the exact length, really, especially when you consider headers that may also vary in length? | |
| Jan 8, 2015 at 14:53 | comment | added | Digital Chris | This answer ignores the fact that the question is about the NSA, which, aside from normal sniffing methods, could: have a backdoor already installed on the site, make a request for the server logs, or have acquired the site's private keys. | |
| Jan 8, 2015 at 13:31 | history | edited | limbenjamin | CC BY-SA 3.0 | added 199 characters in body |
| Jan 8, 2015 at 13:22 | comment | added | user21377 | Ah, but what about this: "with HTTPS, the URL themselves go through the tunnel, hence are encrypted. However, external observer can see the length of the encrypted data records, and thus infer the length (in bytes) of the URL". So the URL path length is determinable then? If so then the answer should be ideally updated and this factor explained, as that clearly changes things. | |
| Jan 8, 2015 at 13:18 | comment | added | pjc50 | Assuming that you/they have perfect forward secrecy on and the NSA haven't compromised their private key or servers, yes. | |
| Jan 8, 2015 at 13:14 | comment | added | user21377 | So if I visit a HTTPS site (and of course, nothing certificate-wise, or otherwise is hijacked) and block all cross-site objects on it (again using RequestPolicy), the NSA won't even be able to know (outside of guessing from other undiscussed factors), what webpage it was on that website that I visited? If so that is seriously good news. | |
| Jan 8, 2015 at 13:05 | vote | accept | CommunityBot | ||
| Jan 8, 2015 at 11:44 | history | answered | limbenjamin | CC BY-SA 3.0 |