Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Agreed.

There are so many websites on the internet which do not gather sensitive data from the users but display read-only content.



If you had checked my web-browsing over the last week it wouldn't be very hard to make an argument that I should be in psych facility, based on the number of suicide related searches I did. In all cases it was purely static content, but in the wrong hands it could be a huge issue for me.

I am only posting it here to prove a point: even static content can reveal a lot.


I don't think SSL is all that great for protecting broad interests.

If you are going to ten different domains in the same span of time that all contain suicide content and someone is snooping your connection, they can correlate what you're doing from the server names (especially if one of the domains has the word 'suicide' in it), even without seeing the page content or path portions of your web requests.

For exclusive content sites, it's a dead giveaway. If someone went to my domain (byuu.org) in HTTPS, then it's pretty obvious that they were interested in emulation, regardless of the encryption. There's already tons of services out there categorizing domains on the internet.

SSL's primary benefit is for form submissions, not for static content pages.

For something like that, your best bet at the present time is a service like Tor. Which even that isn't really perfect.


It's a good point, but most people don't care about that or government surveillance. Any friction introduced by things they don't care about will be seen as annoyance and will be ignored at best. And since absolute majority of websites are likely to stay on http forever - warnings won't do much good and probably will get disabled again in the future.

The good news is: more sites will switch to https.


And it would be so much easier to make a murder look like a suicide with a (public) search history like that.


Reading certain articles reveals sensitive information about you, the reader, too.

Do you really want every node in the network to know that you like NSFW content or are heavily into my little pony?


Would https be better in that regard? (e.g. tracking of visited URIs by the network)


Yes, because the URI is also encrypted in HTTPS (although it can get leaked in other ways; see the discussion at http://stackoverflow.com/questions/499591/are-https-urls-enc...).


But the host is not, and many services exist to categorize the content of domains already. What is the statistical difference between innocuous-site-with-every-kind-of-content-ever.com/friendship-is-pornographic and mlp-fip.com? If more sites are like the latter, then HTTPS will only hide which MLP pictures you are looking at, and not that you are looking at MLP porn. And if a site like the former became too large, we'd have to worry about the government issuing secret trace/tap requests against them.


That thread misses the most important way: the length of the request and the length of the response. On most small sites, the combination of the two will be enough to uniquely identify what page you're visiting.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: