Re: question regarding SSL

2010-11-25 Thread Jochen Schulz 
Arthur Bela:
>
> If i use https, then my connection "is safe", ok.

Safe against earthquakes? -No.
Safe against a malicious server admin? -No
Safe against a man in the middle? Yes, but only under certain
circumstances.

Never say something is generally safe (or secure). Always mention which
risk it is protected against.

> I just want to know, that can someone see that what link i'm exactly visiting?
> 
> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
> THISSITE.COM/SOMELINK.html ?

HTTPS encapsulates the complete HTTP traffic in an SSL (strictly
speaking: TLS) connection. So no, a man-in-the-middle cannot see which
URL you requested and he cannot see the server's response.

What HTTPS doesn't hide is who is talking to whom, the time the
communication takes place and what amount of data is transferred. If you
need that, use Tor.

J.
-- 
Fashion is more important to me than war, famine, disease or art.
[Agree]   [Disagree]
 


signature.asc
Description: Digital signature

Re: question regarding SSL

2010-11-25 Thread Andrei Popescu 
On Mi, 24 nov 10, 22:45:59, Arthur Bela wrote:
> If i use https, then my connection "is safe", ok.
> 
> I just want to know, that can someone see that what link i'm exactly visiting?
> 
> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
> THISSITE.COM/SOMELINK.html ?
> 
> thank you for any info, link :\

If I'm guessing right Tor[1] might be what you are looking for.

[1] http://en.wikipedia.org/wiki/Tor_(anonymity_network)

Regards,
Andrei
-- 
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


signature.asc
Description: Digital signature

Re: question regarding SSL

2010-11-25 Thread Camaleón 
On Thu, 25 Nov 2010 12:07:16 +0100, Arthur Bela wrote:

> On 25 November 2010 12:01, Camaleón wrote:

>>> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
>>> THISSITE.COM/SOMELINK.html ?
>>
>> Well, I think yes, the URI could be displayed/retrieved. It is
>> registered in plain text in web server logs.

> I meant someone is sniffing the "connection" between my pc, and the
> server, not the server admin. :O

Mmmm, by logic (but I can be wrong, though), if Apache stores the 
information in plain text there are many chances it can be also fetched 
by man-in-the-middle attacks.
 
> So if someone is sniffing the connection it can only see that, i'm
> visiting https://THISSITE.COM, and it can't see, that I visit
> https://THISSITE.COM/SOMELINK.html

Look:

http://en.wikipedia.org/wiki/HTTP_Secure#Limitations

"(...) and in some cases the URI of the encrypted resource can be 
inferred by knowing only the intercepted request/response size..."

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2010.11.25.11.40...@gmail.com

Re: question regarding SSL

2010-11-25 Thread Arthur Bela 
"Well, I think yes, the URI could be displayed/retrieved. It is registered
in plain text in web server logs."

I meant someone is sniffing the "connection" between my pc, and the
server, not the server admin. :O

So if someone is sniffing the connection it can only see that, i'm
visiting https://THISSITE.COM, and it can't see, that I visit
https://THISSITE.COM/SOMELINK.html

Thank you!

On 25 November 2010 12:01, Camaleón  wrote:
> On Wed, 24 Nov 2010 22:45:59 +0100, Arthur Bela wrote:
>
>> If i use https, then my connection "is safe", ok.
>
> Your connection is encrypted, which means if someone can get a raw dump
> of the transaction data, it will have to decypher the chunk of code.
>
>> I just want to know, that can someone see that what link i'm exactly
>> visiting?
>
> Mmmm...
>
>> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
>> THISSITE.COM/SOMELINK.html ?
>
> Well, I think yes, the URI could be displayed/retrieved. It is registered
> in plain text in web server logs.
>
> Greetings,
>
> --
> Camaleón
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/pan.2010.11.25.11.01...@gmail.com
>
>


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktimzwn+vxoc73dnunve6kq3_ilrqckdhothjs...@mail.gmail.com

Re: question regarding SSL

2010-11-25 Thread Camaleón 
On Wed, 24 Nov 2010 22:45:59 +0100, Arthur Bela wrote:

> If i use https, then my connection "is safe", ok.

Your connection is encrypted, which means if someone can get a raw dump 
of the transaction data, it will have to decypher the chunk of code.
 
> I just want to know, that can someone see that what link i'm exactly
> visiting?

Mmmm...

> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
> THISSITE.COM/SOMELINK.html ?

Well, I think yes, the URI could be displayed/retrieved. It is registered 
in plain text in web server logs.

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2010.11.25.11.01...@gmail.com

Re: question regarding SSL

2010-11-25 Thread Arthur Bela 
Thank you for the answer!

On 25 November 2010 00:50, Celejar  wrote:
> On Wed, 24 Nov 2010 22:45:59 +0100
> Arthur Bela  wrote:
>
>> If i use https, then my connection "is safe", ok.
>>
>> I just want to know, that can someone see that what link i'm exactly 
>> visiting?
>>
>> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
>> THISSITE.COM/SOMELINK.html ?
>>
>> thank you for any info, link :\
>
> I'm no expert, and I may be totally wrong, but IIUC, the resource path
> is only sent within the HTTP request, as part of the request method
> (e.g. "GET / HTTP/1.1[CRLF]"), which is encapsulated within the SSL
> session, so it ought to be safe.
>
> Celejar
> --
> foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
>
>
> --
> To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: http://lists.debian.org/20101124185028.ce17b51a.cele...@gmail.com
>
>


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktimo-azo4xriy3=yu_p7yj126yqmx7hk-difk...@mail.gmail.com

Re: question regarding SSL

2010-11-24 Thread Celejar 
On Wed, 24 Nov 2010 22:45:59 +0100
Arthur Bela  wrote:

> If i use https, then my connection "is safe", ok.
> 
> I just want to know, that can someone see that what link i'm exactly visiting?
> 
> I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
> THISSITE.COM/SOMELINK.html ?
> 
> thank you for any info, link :\

I'm no expert, and I may be totally wrong, but IIUC, the resource path
is only sent within the HTTP request, as part of the request method
(e.g. "GET / HTTP/1.1[CRLF]"), which is encapsulated within the SSL
session, so it ought to be safe.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20101124185028.ce17b51a.cele...@gmail.com

question regarding SSL

2010-11-24 Thread Arthur Bela 
If i use https, then my connection "is safe", ok.

I just want to know, that can someone see that what link i'm exactly visiting?

I mean, it can only see, that i'm visiting THISSITE.COM, or it can see
THISSITE.COM/SOMELINK.html ?

thank you for any info, link :\


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/aanlktin++rkseu8ayhwx+hrtxu+q8ltkf=k4xrkkg...@mail.gmail.com