undefined | Better HN

0 points1oooqooq1y ago0 comments

because you're comparing it wrong!

in your mind, ssl won't leak anything. and non ssl leaks everything.

make a list of everything you can infer without a cert looking on a ssl connection. then add on top of that all the things people with the cert or control over CAs can see and make a list of them all

when you're done you notice ssl is not perfect as you think and the extra request and no cache compound all that.

0 comments

Lammy1y ago

> make a list of everything you can infer without a cert looking on a ssl connection

This exactly, and not just connection but connections, plural. If the network observes my encrypted connection to ocsp.apple.com followed by another encrypted connection to adobegenuine.com, an analyst could reasonably assume I'd just opened an Adobe Creative Suite app. Or if they see ocsp.apple.com followed by update.code.visualstudio.com, I probably just opened VSCode. Auto-updaters are the same kind of privacy scourge and every additional connection makes it worse.

Citations:

- https://helpx.adobe.com/enterprise/kb/network-endpoints.html

- https://code.visualstudio.com/docs/setup/network

j / k navigate · click thread line to collapse