- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 13 Nov 2015 11:05:58 +0100
- To: Jake Archibald <jakearchibald@google.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, WebAppSec WG <public-webappsec@w3.org>
On Fri, Nov 13, 2015 at 10:38 AM, Jake Archibald <jakearchibald@google.com> wrote: > We considered this as the "wikileaks" case. A user who creates a wikileaks > background sync at home may not want that to fire at work. > > Given that background sync is only available over https, there isn't the > MITM worry in terms of observing data transmitted, but yeah the destination > IP could be observed. However, the observer wouldn't be able to reliably > tell posting to wikileaks apart from the user pressing "w" in their location > bar, it autocompleting to wikileaks and triggering a preload request. Can't they tell how much encrypted data was transmitted? And even ignoring that you can tell it apart from a preload request as visiting wikileaks.org also hits search.wikileaks.org at least. -- https://annevankesteren.nl/
Received on Friday, 13 November 2015 10:06:27 UTC