Re: [liberationtech] Riseup registration process a bit odd...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 29/10/13 16:50, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? The site name is visible, but not the rest of the URL. Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSb92eAAoJEBEET9GfxSfMjpUH/RQDPP6H8Dz5NVNKHorfoxb0 ehAK4g99o51zt7B0123HMLnyTwK+uTOqMSwGuTFwFH0Ma/ohGOJ4FJPQs/MnkqOH fOQCYjHN7w4IPg8PaaSO/MXmFEwK9sagQatz0T4HyKRZJba1+xJUVi+f1fch6ChF GwAfevc7dW2GSCGUpUu4//rbF5ZxHTvDpKJJyXjCD/ME98i3IHBiHNpPK1SyE23B SUTUFBWI2Qhw2heirYYbpI+gf96OTP+1veaMqBGvtLqSsGDBdgIFeRMVwjFBAa3m RTiqX9BbDGwwgyF/gcpA0rkjTKPkQaDSUbHYOmMs/aKnVcUxEAGBX1B4FIxhA0Y= =ScAS -END PGP SIGNATURE- -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
On 29/10/13 16:50, Douglas Lucas wrote: Can anyone clarify? When you're using https, all or most of those agents see your location and the website you're visiting. In this case, your 'location' and the fact that you are looking at 'some page within the riseup page'. No one except the riseup server serving you each page (and by extension the admin if they actually 'look', but I could be they don't 'look' unless there is a troubleshooting need) can see what page of the riseup website you are looking at, nor what user name or password you are inputting. In the diagram, https://www.eff.org/pages/tor-and-https when you make the https buttom go green , as in, when you're using https, only 'lawyer' and 'police' of the sysadmin of site.com know more than that, and that only if the sysadmin tells them. tor seems to add more 'agents' who know little if you're using https. People need to understand that tor is for anonymity and https is for privacy - two different tools for two different purposes. better off undetected ;) -- https://network23.org/bou/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
I would assume that they see the port, too. It is also well known that URLs have identifiable signatures based on the number of items retrieved and the packet sizes. In most cases, it is easy to infer the URLs visited. But the encryption should protect data entered into forms. So, the sequences of URLs seen is not available in clear text, but it is not hard to guess correctly. See: http://research.microsoft.com/pubs/119060/webappsidechannel-final.pdf On 10/29/2013 01:09 PM, Sean Alexandre wrote: This site name (or domain name) is exposed, but not the URL. So for example if I browse to this URL using Tor: https://user.riseup.net/ticket/123456/foo.bar The exit node can see the domain name: user.riseup.net but not the URL: https://user.riseup.net/ticket/123456/foo.bar Or, another way to say it is the domain name is part of the URL but is not the URL. On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] Expanding beyond China
We have been monitoring online censorship in China since 2011 via GreatFire.org. In 2012, we launched FreeWeibo where we make available weibos (the equivalent of Twitter’s tweets) that have been censored on Sina Weibo, the most popular microblog in China and the country's biggest single social network. Using a range of sources, we operate the only database of censored Chinese user content anywhere. We currently make available 20 million weibos out of which 235,000 are confirmed to have been censored. We are able to detect high-level censored content in real time. It’s both a demonstration of what an uncensored Chinese Internet could look like, and a practical tool for keeping up to date on what the Chinese authorities don’t want you to know. We are now considering expanding our offerings beyond China and I am curious in hearing about which countries (and why) the members of this list feel should warrant our initial attention. -- Charlie Smith https://freeweibo.com https://en.greatfire.org/press @CensoredWeibo https://www.twitter.com/CensoredWeibo @GreatFireChina http://www.twitter.com/greatfirechina -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. (although a very powerful attacker might be able to infer that from other data - dns quereies) the eff tor/https diagram (which is excellent) assumes that the server has a single name (site.com), which is often the case (especially for large, popular sites). then it is easy to infer the name from the server. i don't know of anywhere that this is used, but in principle a server could host https://catlovers.com and https://terrorism.com, with the first providing cover for the latter (why are you connecting to terrorism.com? i am not; i am looking at cute pictures of cats!). but as someone else said, some information will leak with the size of packets, etc, so it probably isn't that secure or useful anyway. to understand this further you need to understand the concept of layered protocols. the ssl/tls layer is below the http layer and above the ip layer. so the ip address is visible, but the site name (in the http data, in the url) is not. andrew On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
On 29 October 2013 17:49, andrew cooke and...@acooke.org wrote: people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. Yes they do: its included in the Server Name Indication extension. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] Riseup registration process a bit odd...
getnameinfo() should provide a list of DNS names associated with the IP address. So that catlovers.com and terrorism.com would both be included. Of course, the machine can have multiple IP and DNS names. On 10/29/2013 01:49 PM, andrew cooke wrote: people are saying that the site name is visible, but that's not strictly correct. a server can have many names. with https, someone can see which server you connected to, but they don't see which name you used to do so. (although a very powerful attacker might be able to infer that from other data - dns quereies) the eff tor/https diagram (which is excellent) assumes that the server has a single name (site.com), which is often the case (especially for large, popular sites). then it is easy to infer the name from the server. i don't know of anywhere that this is used, but in principle a server could host https://catlovers.com and https://terrorism.com, with the first providing cover for the latter (why are you connecting to terrorism.com? i am not; i am looking at cute pictures of cats!). but as someone else said, some information will leak with the size of packets, etc, so it probably isn't that secure or useful anyway. to understand this further you need to understand the concept of layered protocols. the ssl/tls layer is below the http layer and above the ip layer. so the ip address is visible, but the site name (in the http data, in the url) is not. andrew On Tue, Oct 29, 2013 at 11:50:54AM -0500, Douglas Lucas wrote: That no one can see an HTTPS URL seems contradicted by this EFF Tor and HTTPS diagram: https://www.eff.org/pages/tor-and-https For the diagram, if you click the HTTPS button to show what data is visible with only HTTPS enabled, you can see that some of the data is encrypted, but not the site name (site.com in the diagram). Can anyone clarify? Thanks, Douglas On 10/29/2013 07:29 AM, andrew cooke wrote: it's https. no-one else can see the url. http://security.stackexchange.com/questions/7705/does-ssl-tls-https-hide-the-urls-being-accessed andrew On Tue, Oct 29, 2013 at 01:01:55PM +0100, Alex Comninos wrote: Hi All So I am looking to make a #PRISMBREAK and get a riseup.net account. It will be no secret, as I am aiming for alex.comni...@riseup.net, and I will advertise this publicly. The registration process seems a bit odd. I get an HTTPS link to check my ticket. The link looks something like https://user.riseup.net/ticket/**/*** The first set of stars is the ticket number, the second is the email address used to register. I can I believe visit this link to monitor the progress of my ticket. However, any one on the network I used to register, and all the way along the internet to riseup.net can see this link, if I used TOR, presumably the exit node. The link reveals that I have a ticket with riseup and intending to register, the email I am using to register it. The link can then be followed by anyone who saw it along its way on the internet, and my ticket read with my possibly private motivation for doing so elaborated (does not require a login). My link was: https://user.riseup.net/ticket/813773/alex[dot]comninos[at]gmail[dot]com Replace the words in square brackets with punctuation, and I invite you to read my motivation to open a riseup account. I am no information security professional, so please let me know if anyone else thinks the registration process may be a bit insecure. Kind regards. ... Alex Comninos | doctoral candidate Department of Geography | Justus Liebig University, Gießen http:// comninos.org | Twitter: @alexcomninos -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] GlobaLeaks - SecureDrop comparison Security improvements
Hi, we worked on a preliminary comparison between GlobaLeaks and SecureDrop over which we'd like to receive a feedback and cooperation to improve it: https://docs.google.com/spreadsheet/ccc?key=0AqtQ4kKC2rLzdFFRMGFTM0haVmRibnNXWWljU0cwTFEusp=sharing Then we collected a set of major and minor Security Improvements into a Project Proposal also to enable GlobaLeaks to be deployed with SecureDrop-like architecture: https://docs.google.com/document/d/15tyTSRKETzcamfgvZ4TOh9mzLV2STnQduZRKnG8fEZQ/edit?usp=sharing We'de love to receive some constructive feedbacks, criticism and contribution over those documents. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
