Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Riseup registration process a bit odd...

andrew cooke andrew at acooke.org
Tue Oct 29 10:49:22 PDT 2013


people are saying that the site name is visible, but that's not strictly
correct.

a server can have many names.  with https, someone can see which server you
connected to, but they don't see which name you used to do so.

(although a very powerful attacker might be able to infer that from other
data - dns quereies)

the eff tor/https diagram (which is excellent) assumes that the server has a
single name (site.com), which is often the case (especially for large, popular
sites).  then it is easy to infer the name from the server.

i don't know of anywhere that this is used, but in principle a server could
host https://catlovers.com and https://terrorism.com, with the first providing
"cover" for the latter ("why are you connecting to terrorism.com?"  "i am not;
i am looking at cute pictures of cats!").  but as someone else said, some
information will leak with the size of packets, etc, so it probably isn't that
secure or useful anyway.

to understand this further you need to understand the concept of layered
protocols.  the ssl/tls layer is "below" the http layer and "above" the ip
layer.  so the ip address is visible, but the site name (in the http data, in
the url) is not.

andrew


On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
> That no one can see an HTTPS URL seems contradicted by this EFF "Tor and
> HTTPS" diagram: https://www.eff.org/pages/tor-and-https
> 
> For the diagram, if you click the HTTPS button to show what data is
> visible with only HTTPS enabled, you can see that some of the data is
> encrypted, but not the site name ("site.com" in the diagram).
> 
> Can anyone clarify?
> 
> Thanks,
> 
> Douglas
> 
> On 10/29/2013 07:29 AM, andrew cooke wrote:
> > 
> > it's https.  no-one else can see the url.
> > 
> > http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed
> > 
> > andrew
> > 
> > 
> > On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
> >> Hi All
> >>
> >> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
> >> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
> >> will advertise this publicly.
> >>
> >> The registration process seems a bit odd. I get an HTTPS link to check
> >> my ticket.
> >>
> >> The link looks something like
> >> https://user.riseup.net/ticket/******/***************************
> >>
> >> The first set of stars is the ticket number, the second is the email
> >> address used to register.
> >>
> >> I can I believe visit this link to monitor the progress of my ticket.
> >> However, any one on the network I used to register, and all the way
> >> along the internet to riseup.net can see this link, if I used TOR,
> >> presumably the exit node. The link reveals that I have a ticket with
> >> riseup and intending to register, the email I am using to register it.
> >> The link can then be followed by anyone who saw it along its way on
> >> the internet, and my ticket read with my possibly private motivation
> >> for doing so elaborated (does not require a login).
> >>
> >> My link was:
> >>
> >> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
> >>
> >> Replace the words in square brackets with punctuation, and I invite
> >> you to read my motivation to open a riseup account.
> >>
> >> I am no information security professional, so please let me know if
> >> anyone else thinks the registration process may be a bit insecure.
> >>
> >> Kind regards.
> >> ...
> >> Alex Comninos | doctoral candidate
> >> Department of Geography | Justus Liebig University, Gießen
> >> http:// comninos.org | Twitter: @alexcomninos
> >> -- 
> >> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
> -- 
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
> 



More information about the liberationtech mailing list