[liberationtech] Riseup registration process a bit odd...
Richard Brooks
rrb at acm.org
Tue Oct 29 10:24:59 PDT 2013
I would assume that they see the port, too.
It is also well known that URLs have identifiable
signatures based on the number of items retrieved
and the packet sizes. In most cases, it is easy to
infer the URLs visited. But the encryption should
protect data entered into forms.
So, the sequences of URLs seen is not available in
clear text, but it is not hard to guess correctly.
See:
http://research.microsoft.com/pubs/119060/webappsidechannel-final.pdf
On 10/29/2013 01:09 PM, Sean Alexandre wrote:
> This site name (or domain name) is exposed, but not the URL. So for example if
> I browse to this URL using Tor:
> https://user.riseup.net/ticket/123456/foo.bar
>
> The exit node can see the domain name:
> user.riseup.net
>
> but not the URL:
> https://user.riseup.net/ticket/123456/foo.bar
>
> Or, another way to say it is the domain name is part of the URL but is not the URL.
>
> On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
>> That no one can see an HTTPS URL seems contradicted by this EFF "Tor and
>> HTTPS" diagram: https://www.eff.org/pages/tor-and-https
>>
>> For the diagram, if you click the HTTPS button to show what data is
>> visible with only HTTPS enabled, you can see that some of the data is
>> encrypted, but not the site name ("site.com" in the diagram).
>>
>> Can anyone clarify?
>>
>> Thanks,
>>
>> Douglas
>>
>> On 10/29/2013 07:29 AM, andrew cooke wrote:
>>>
>>> it's https. no-one else can see the url.
>>>
>>> http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed
>>>
>>> andrew
>>>
>>>
>>> On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
>>>> Hi All
>>>>
>>>> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
>>>> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
>>>> will advertise this publicly.
>>>>
>>>> The registration process seems a bit odd. I get an HTTPS link to check
>>>> my ticket.
>>>>
>>>> The link looks something like
>>>> https://user.riseup.net/ticket/******/***************************
>>>>
>>>> The first set of stars is the ticket number, the second is the email
>>>> address used to register.
>>>>
>>>> I can I believe visit this link to monitor the progress of my ticket.
>>>> However, any one on the network I used to register, and all the way
>>>> along the internet to riseup.net can see this link, if I used TOR,
>>>> presumably the exit node. The link reveals that I have a ticket with
>>>> riseup and intending to register, the email I am using to register it.
>>>> The link can then be followed by anyone who saw it along its way on
>>>> the internet, and my ticket read with my possibly private motivation
>>>> for doing so elaborated (does not require a login).
>>>>
>>>> My link was:
>>>>
>>>> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
>>>>
>>>> Replace the words in square brackets with punctuation, and I invite
>>>> you to read my motivation to open a riseup account.
>>>>
>>>> I am no information security professional, so please let me know if
>>>> anyone else thinks the registration process may be a bit insecure.
>>>>
>>>> Kind regards.
>>>> ...
>>>> Alex Comninos | doctoral candidate
>>>> Department of Geography | Justus Liebig University, Gießen
>>>> http:// comninos.org | Twitter: @alexcomninos
More information about the liberationtech
mailing list