* Ted Hardie wrote: >But I want to point out something about blogs or similar public statements; >while some systems require real names, not all do. It's quite possible to >have an online journal or blog that uses a pseudonym and it's actually >relatively easy for that to be an okay outlet for a gay kid worried about >pervasive surveillance. If that kid connects to largeblogsite.example over >a TLS protected link, the metadata shows the connection, but not the >content. If largeblogsite has blogs on knitting, agriculture, and custom >cars, there is no signal to those engaged in surveillance that the blogs of >interest are LGBT in nature.
I was under the impression that TLS as currently deployed would still let an attacker know roughly when and how many bytes are exchanged and if the blogs are reasonably static and public that should be enough to reconstruct which are being read, especially if you can capture repeat visits (the knitting blog might feature small vector graphics with knitting patterns, and the custom cars blog might have large photos, so if the user downloads a lot, custom cars are much more likely). (And in practise there are many more problems, like the blogs might be on different hostnames and the DNS lookup gives you away, or they might load resources from third-party hosts, so you can tell blogs that have some video from a popular video site on them from those that have not, simply from the client connecting to the video service after loading up whatever blog they are interested in, and so on.) -- Björn Höhrmann · mailto:[email protected] · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
