[liberationtech] Riseup registration process a bit odd...

Douglas Lucas dal at riseup.net
Tue Oct 29 09:50:54 PDT 2013 

That no one can see an HTTPS URL seems contradicted by this EFF "Tor and
HTTPS" diagram: https://www.eff.org/pages/tor-and-https

For the diagram, if you click the HTTPS button to show what data is
visible with only HTTPS enabled, you can see that some of the data is
encrypted, but not the site name ("site.com" in the diagram).

Can anyone clarify?

Thanks,

Douglas

On 10/29/2013 07:29 AM, andrew cooke wrote:
> 
> it's https.  no-one else can see the url.
> 
> http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed
> 
> andrew
> 
> 
> On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
>> Hi All
>>
>> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
>> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
>> will advertise this publicly.
>>
>> The registration process seems a bit odd. I get an HTTPS link to check
>> my ticket.
>>
>> The link looks something like
>> https://user.riseup.net/ticket/******/***************************
>>
>> The first set of stars is the ticket number, the second is the email
>> address used to register.
>>
>> I can I believe visit this link to monitor the progress of my ticket.
>> However, any one on the network I used to register, and all the way
>> along the internet to riseup.net can see this link, if I used TOR,
>> presumably the exit node. The link reveals that I have a ticket with
>> riseup and intending to register, the email I am using to register it.
>> The link can then be followed by anyone who saw it along its way on
>> the internet, and my ticket read with my possibly private motivation
>> for doing so elaborated (does not require a login).
>>
>> My link was:
>>
>> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
>>
>> Replace the words in square brackets with punctuation, and I invite
>> you to read my motivation to open a riseup account.
>>
>> I am no information security professional, so please let me know if
>> anyone else thinks the registration process may be a bit insecure.
>>
>> Kind regards.
>> ...
>> Alex Comninos | doctoral candidate
>> Department of Geography | Justus Liebig University, Gießen
>> http:// comninos.org | Twitter: @alexcomninos
>> -- 
>> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

More information about the liberationtech mailing list