• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

What's the point of SSL on Wikipedia?

A

anacct3

Junior Member
I am wondering if there are any advantages to SSL for info sites like Wikipedia where there's no need to log in.

For instance, I would imagine there's SOME advantage to Google's SSL protection on a search engine because it can hide your search terms from unsecured wireless hotspots. But are the search terms also hidden from ISPs?

Also, if you do SSL on Wikipedia like so (https://secure.wikimedia.org/wikipedia/en/wiki/Test), is the full URL path hidden or revealed to ISPs? I'm not sure if the URL paths work the same like they do with search term variables.

The other thing is that upload.wikimedia.org images are all in non-SSL, so it's not as if you'll actually get any privacy from the unlikely scenario of those snooping.

I think it's a step in the right direction to encrypt EVERY net transmission, so this isn't a complaint, but what do you think of the current state of SSL encryption on sites like Wikipedia?
 
SSL encrypts the data between the client and the server.

Asides from the IP addresses, pretty much everything is hidden from the ISP and anyone else while the data is in transit when you're using SSL. The URL path would be encrypted as well, including the domain name. The ISP would have to lookup the IP address of the site to see where you are going to.
 
WobbleWobble said:
Asides from the IP addresses, pretty much everything is hidden from the ISP and anyone else while the data is in transit when you're using SSL.
Click to expand...

Not entirely true. Since your ISP sits in between you and the Web Server, it is very easy for there to be a Man-in-the-Middle attack at your ISP which allow them (decrypted) access to your traffic.
 
seepy83 said:
Not entirely true. Since your ISP sits in between you and the Web Server, it is very easy for there to be a Man-in-the-Middle attack at your ISP which allow them (decrypted) access to your traffic.
Click to expand...

Man in the middle of a secure connection?

Sure they may be able to intercept the packets; however, if the latest encryption standards are used, I don't see how they are going to get access to the data...

-Kevin
 
Gamingphreek said:
Man in the middle of a secure connection?

Sure they may be able to intercept the packets; however, if the latest encryption standards are used, I don't see how they are going to get access to the data...

-Kevin
Click to expand...

A typical MITM for SSL would involve you (the bad guy in the middle) setting up your own SSL session with your target, and your own SSL session with the web server that your target is establishing a secure connection with. Then, you act like a proxy in between your target and the web server they are trying to talk to.

Certificate errors in current web browsers would throw up the red flag for savvy users, but your typical web surfer might not know the difference.
 
seepy83 said:
A typical MITM for SSL would involve you (the bad guy in the middle) setting up your own SSL session with your target, and your own SSL session with the web server that your target is establishing a secure connection with. Then, you act like a proxy in between your target and the web server they are trying to talk to.

Certificate errors in current web browsers would throw up the red flag for savvy users, but your typical web surfer might not know the difference.
Click to expand...

I think the best you can do is to take reasonable steps toward checking certificate authenticity to prevent MITM attacks. Besides that, I know that SSL isn't unbreakable.

That said, I think SSL is useful in not showing all of your search terms and generally what's on your mind to some people like ISPs and unsecured wireless snoopers so that it just cuts down on the likelihood of your privacy being breached. Can't hide from Google if you choose to use their services (unless Tor is involved) but at least you can try to hide from secondary information collectors.

But there seems to be little educated consensus about just how much SSL can hide from casual snooping and that's what I was curious about. It seems like if the sites you're visiting are only partially encrypted, with the right software, it would be very little effort to recreate a lot of your web usage simply by viewing the unencrypted portions so that the partial encryption is really useless for any kind of privacy.
 
SSL being breakable or unbreakable is inherently incorrect.

SSL is merely the end to end means of creating and transmitting data securely over an unsecure medium. It has nothing to do with the default encryption standard that is used to actually secure the data.

For instance, I can use AES-256 as the means of encryption over an SSL connection and it doesn't matter if someone gets ahold of the packets or not (Though I would prefer that they don't) as AES-256 is as close as we get to unbreakable these days.
 
Gamingphreek said:
SSL being breakable or unbreakable is inherently incorrect.

SSL is merely the end to end means of creating and transmitting data securely over an unsecure medium. It has nothing to do with the default encryption standard that is used to actually secure the data.

For instance, I can use AES-256 as the means of encryption over an SSL connection and it doesn't matter if someone gets ahold of the packets or not (Though I would prefer that they don't) as AES-256 is as close as we get to unbreakable these days.
Click to expand...

You're looking at this from a too technical point of view. Slip a proxy inline on the network reading all the HTTP traffic. Find a link that points to https and you generate a self signed cert for the domain and then you intercept their SSL traffic. On a closed network where you can alter the Root CA's used on the PCs(Enterprise environments) then you can even get all the client PC's to show a full SSL connection without any problems. The only way to detect you're being proxied in that case is by inspecting the certs.

In the general sense(using public wifi etc) there's always going to be a warning sign that your SSL traffic is being compromised. Usually because your browser will detect the self signed cert, or you'll be redirected to a http site after you click on a https link.
 
Crusty said:
You're looking at this from a too technical point of view. Slip a proxy inline on the network reading all the HTTP traffic. Find a link that points to https and you generate a self signed cert for the domain and then you intercept their SSL traffic. On a closed network where you can alter the Root CA's used on the PCs(Enterprise environments) then you can even get all the client PC's to show a full SSL connection without any problems. The only way to detect you're being proxied in that case is by inspecting the certs.

In the general sense(using public wifi etc) there's always going to be a warning sign that your SSL traffic is being compromised. Usually because your browser will detect the self signed cert, or you'll be redirected to a http site after you click on a https link.
Click to expand...

Exactly. And even if you're not in an enterprise environment, if there is a vulnerability that can alter the trusted root CAs on your target as needed, then it's much more likely that this type of attack could occur at any point on the wire between you and the web server.

I'm not saying that everyone should be paranoid and it's likely that this would occur today. Just be aware that the possibility is out there.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top