[liberationtech] Riseup registration process a bit odd...

Tue Oct 29 12:34:07 PDT 2013

getnameinfo() should provide a list of DNS names associated
with the IP address. So that catlovers.com and terrorism.com
would both be included.

Of course, the machine can have multiple IP and DNS names.

On 10/29/2013 01:49 PM, andrew cooke wrote:
> 
> people are saying that the site name is visible, but that's not strictly
> correct.
> 
> a server can have many names.  with https, someone can see which server you
> connected to, but they don't see which name you used to do so.
> 
> (although a very powerful attacker might be able to infer that from other
> data - dns quereies)
> 
> the eff tor/https diagram (which is excellent) assumes that the server has a
> single name (site.com), which is often the case (especially for large, popular
> sites).  then it is easy to infer the name from the server.
> 
> i don't know of anywhere that this is used, but in principle a server could
> host https://catlovers.com and https://terrorism.com, with the first providing
> "cover" for the latter ("why are you connecting to terrorism.com?"  "i am not;
> i am looking at cute pictures of cats!").  but as someone else said, some
> information will leak with the size of packets, etc, so it probably isn't that
> secure or useful anyway.
> 
> to understand this further you need to understand the concept of layered
> protocols.  the ssl/tls layer is "below" the http layer and "above" the ip
> layer.  so the ip address is visible, but the site name (in the http data, in
> the url) is not.
> 
> andrew
> 
> 
> On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote:
>> That no one can see an HTTPS URL seems contradicted by this EFF "Tor and
>> HTTPS" diagram: https://www.eff.org/pages/tor-and-https
>>
>> For the diagram, if you click the HTTPS button to show what data is
>> visible with only HTTPS enabled, you can see that some of the data is
>> encrypted, but not the site name ("site.com" in the diagram).
>>
>> Can anyone clarify?
>>
>> Thanks,
>>
>> Douglas
>>
>> On 10/29/2013 07:29 AM, andrew cooke wrote:
>>>
>>> it's https.  no-one else can see the url.
>>>
>>> http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed
>>>
>>> andrew
>>>
>>>
>>> On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote:
>>>> Hi All
>>>>
>>>> So I am looking to make a #PRISMBREAK and get a riseup.net account. It
>>>> will be no secret, as I am aiming for alex.comninos at riseup.net, and I
>>>> will advertise this publicly.
>>>>
>>>> The registration process seems a bit odd. I get an HTTPS link to check
>>>> my ticket.
>>>>
>>>> The link looks something like
>>>> https://user.riseup.net/ticket/******/***************************
>>>>
>>>> The first set of stars is the ticket number, the second is the email
>>>> address used to register.
>>>>
>>>> I can I believe visit this link to monitor the progress of my ticket.
>>>> However, any one on the network I used to register, and all the way
>>>> along the internet to riseup.net can see this link, if I used TOR,
>>>> presumably the exit node. The link reveals that I have a ticket with
>>>> riseup and intending to register, the email I am using to register it.
>>>> The link can then be followed by anyone who saw it along its way on
>>>> the internet, and my ticket read with my possibly private motivation
>>>> for doing so elaborated (does not require a login).
>>>>
>>>> My link was:
>>>>
>>>> https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com
>>>>
>>>> Replace the words in square brackets with punctuation, and I invite
>>>> you to read my motivation to open a riseup account.
>>>>
>>>> I am no information security professional, so please let me know if
>>>> anyone else thinks the registration process may be a bit insecure.
>>>>
>>>> Kind regards.
>>>> ...
>>>> Alex Comninos | doctoral candidate
>>>> Department of Geography | Justus Liebig University, Gießen
>>>> http:// comninos.org | Twitter: @alexcomninos
>>>> -- 
>>>> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
>> -- 
>> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
>>