On 2021-08-19 16:37:13 -0400 (-0400), Kyle Edwards wrote: > On 8/19/21 3:46 PM, Simon Richter wrote: > > For the most part, users would configure https if they are behind a > > corporate firewall that disallows http, or modifies data in-flight so > > signature verification fails, everyone else is better off using plain > > http. > > Or they might configure https on the sheer principle of not wanting to have > their traffic hoovered up by their ISP or anyone else who might be > listening.
While this does complicate it, a snooping party can still know the site they're connecting to via SNI happening unencrypted, and packet sizes/pacing likely give away which pages or files are being retrieved based on their length. And that's not even getting into how "trusted" certificate authorities give away certificates for any hostname if your MitM knows the right people, and CDNs are now in the business of snooping on everyone's traffic for sites where they handle SSL/TLS termination. HTTPS as deployed on the open Internet is a sip of security with several gulps of theater. -- Jeremy Stanley
signature.asc
Description: PGP signature
