Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How much security does HTTPS provide...???


  • Please log in to reply
5 replies to this topic

#1 Warthog-Fan

Warthog-Fan

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Endicott, NY
  • Local time:08:12 AM

Posted 01 May 2018 - 04:25 PM

I just read an article on the subject of HTTPS, as opposed to HTTP. The article included a number of technical terms that I didn't understand and I came away a litle confused. The article seemed to say that the identity of the user is protected, and that data both to and from the target server is encrypted to insure privacy. However, it seems like there still has to be some kind of text in the clear, so that the ISP knows where to direct the traffic. For example, if I wanted to enter the address of the forums on Bleeping Computer, I might type something like:

 

https://www.bleepingcomputer.com/forums/windows7

 

It seems like the ISP would need at least   "https://www.bleepingcomputer.com"   to be unencrypted.

 

If this is true, then the ISP may not be able to tell exactly what on Bleeping Computer that I'm looking at, but at least they know that I am accessing the Bleeping Computer web site. Also, since the ISP knows which IP address the request came from, then they also know who I am. This seems to nullify the statement that the user's identity is protected.

 

Obviously, HTTPS does not provide the same anonymity and security as a VPN, but it would be helpful to know what it does provide.

 

Thanks in advance.



BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,873 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:12 AM

Posted 01 May 2018 - 05:14 PM

HTTPS encrypts exactly what was stated:  traffic.

 

Your ISP always knows where you're going as it's impossible to get there otherwise, just like the phone company always knows who you've called.  When the traffic is encrypted there is a "handshake" between both ends at the very start of the transaction to establish what they'll be using as a decryption key as each end needs to know the key to use to decrypt traffic from the other end.

 

The user's identity is protected if that data is exchanged as part of the traffic, e.g., when you're doing an online purchase, entering your SSN (or equivalent), etc., from anyone who might "be sniffing" the traffic, as it is encrypted.

 

Any process that involves networking end to end (and that does include phone service) must know the actual identity of the users on each end (or of the intermediary that masks them, e.g., a VPN, which then acts as an anonymous "middle man" for each end, but the VPN obviously knows who you are and who you're "talking to" as it is a network).  The "Virtual" part in VPN means just that.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

Travel is fatal to prejudice, bigotry, and narrow-mindedness, and many of our people need it sorely on these accounts.  Broad, wholesome, charitable views of men and things cannot be acquired by vegetating in one little corner of the earth all one's lifetime.

       ~ Mark Twain

 

 

 

              

 


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:12 PM

Posted 03 May 2018 - 03:19 PM

Do you know what DNS is?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,873 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:12 AM

Posted 03 May 2018 - 03:29 PM

Do you know what DNS is?

 

I'm not sure to whom this question is addressed.  I certainly know what the Domain Name System/a Domain Name Server is.

 

A great synopsis at HowStuffWorks:  https://computer.howstuffworks.com/dns.htm [for the OP, in case needed].


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1809, Build 17763 

Travel is fatal to prejudice, bigotry, and narrow-mindedness, and many of our people need it sorely on these accounts.  Broad, wholesome, charitable views of men and things cannot be acquired by vegetating in one little corner of the earth all one's lifetime.

       ~ Mark Twain

 

 

 

              

 


#5 midimusicman79

midimusicman79

  • Members
  • 813 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:02:12 PM

Posted 04 May 2018 - 07:44 AM

Hi, Warthog-Fan!

 

I am not sure exactly which article you read on the subject of HTTPS, but FWIW:

 

The Electronic Frontier Foundation (EFF) has created HTTPS Everywhere, which is a web browser extension for Firefox, Chrome, and Opera that encrypts your communications with many major websites, making your browsing more secure.

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:02:12 PM

Posted 06 May 2018 - 12:38 PM

It's addressed to the OP.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users