[liberationtech] Riseup registration process a bit odd...

Sean Alexandre sean at alexan.org
Tue Oct 29 10:09:07 PDT 2013 

This site name (or domain name) is exposed, but not the URL. So for example if
I browse to this URL using Tor:
https://user.riseup.net/ticket/123456/foo.bar

The exit node can see the domain name:
user.riseup.net

but not the URL:
https://user.riseup.net/ticket/123456/foo.bar

Or, another way to say it is the domain name is part of the URL but is not the URL.

On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
> That no one can see an HTTPS URL seems contradicted by this EFF "Tor and
> HTTPS" diagram: https://www.eff.org/pages/tor-and-https
> 
> For the diagram, if you click the HTTPS button to show what data is
> visible with only HTTPS enabled, you can see that some of the data is
> encrypted, but not the site name ("site.com" in the diagram).
> 
> Can anyone clarify?
> 
> Thanks,
> 
> Douglas
> 
> On 10/29/2013 07:29 AM, andrew cooke wrote:
> > 
> > it's https.  no-one else can see the url.
> > 
> > http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed
> > 
> > andrew
> > 
> > 
> > On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
> >> Hi All
> >>
> >> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
> >> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
> >> will advertise this publicly.
> >>
> >> The registration process seems a bit odd. I get an HTTPS link to check
> >> my ticket.
> >>
> >> The link looks something like
> >> https://user.riseup.net/ticket/******/***************************
> >>
> >> The first set of stars is the ticket number, the second is the email
> >> address used to register.
> >>
> >> I can I believe visit this link to monitor the progress of my ticket.
> >> However, any one on the network I used to register, and all the way
> >> along the internet to riseup.net can see this link, if I used TOR,
> >> presumably the exit node. The link reveals that I have a ticket with
> >> riseup and intending to register, the email I am using to register it.
> >> The link can then be followed by anyone who saw it along its way on
> >> the internet, and my ticket read with my possibly private motivation
> >> for doing so elaborated (does not require a login).
> >>
> >> My link was:
> >>
> >> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
> >>
> >> Replace the words in square brackets with punctuation, and I invite
> >> you to read my motivation to open a riseup account.
> >>
> >> I am no information security professional, so please let me know if
> >> anyone else thinks the registration process may be a bit insecure.
> >>
> >> Kind regards.
> >> ...
> >> Alex Comninos | doctoral candidate
> >> Department of Geography | Justus Liebig University, Gießen
> >> http:// comninos.org | Twitter: @alexcomninos

More information about the liberationtech mailing list