On 12/18/2014 10:37 AM, Eduardo' Vela" <Nava> wrote: > [dkg wrote:] >> > Among other things, HTTPS provides some confidentiality to *the act of >> > reading*, but does not restrict web sites from publishing public data. > > HTTPS most likely doesn't hide which news articles you are reading. Traffic > analysis against a site like a public news site is very likely to provide a > near-perfect prediction. You'll note that i said "some" confidentiality :) I'm aware of traffic analysis issues like [0]. These attacks require some (not enormous) investment from the adversary in gathering data from various sites and producing the statistical models that give plausible content prediction. I agree that we should not ignore or underestimate them. In the meantime, cleartext HTTP allows a simple keyword search of the raw data stream for anyone who wants to censor, surveil, or "clean up" traffic based on what you're reading. There are possible mitigation techniques against traffic analysis (like including padding in the underlying data or at the TLS layer, ensuring that subresources are all same-origin, etc), and we will need further development and research in this area. But these mitigation techniques are useless unless we move to HTTPS in the first place. Sorry this got a bit off-topic. more on-point: HTTP is still non-secure. Regards, --dkg [0] http://arxiv.org/abs/1403.0297
Received on Thursday, 18 December 2014 16:10:43 UTC