Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To play the devils advocate: TLS on websites where you are not logged in is the greatest security hogwash of all times.

For example the cookies of the NYT:

  - Store and/or access information on a device 178 vendors
  - Use limited data to select advertising 111 vendors
  - Create profiles for personalised advertising 135 vendors
  - Use profiles to select personalised advertising 
  - Understand audiences through statistics or combinations 
    of data from different sources 92 vendors
There is no way to escape any of this unless you spend several hours per week to click through these dialogs and to adjust adblockers.

And even if you block all cookies, ever-cookies and fingerprinting, then there are still cloudflare, amazon, gcp and azure who know your cross-site visits.

The NSA is no longer listening because there is TLS everywhere? Sure, and the earth is flat.



TLS is not just for encryption, but also for integrity. The content you are seeing is exactly as intended by the owner of the domain or webservice (for whatever that is worth). No easy way to mitm or inject content on the way.


This has nothing to do with TLS’s security model. You still have to trust the site you’re connecting to.


"There is no way to escape any of this unless you spend several hours per week to click through these dialogs and to adjust adblockers."

I read NYT with no cookies, no Javascript and no images. Only the Host, User Agent (googlebot) and Connection headers are sent. TLS forward proxy sends requests over internet, not browser. No SNI. No meaningful "fingerprint" for advertising

This only requires accessing a single IP address used by NYT. No "vendors"

TLS is monitored on the network I own. By me

I inspect all TLS traffic. Otherwise connection fails


Just curious, what is your tech stack to life inspect all TLS traffic?


The method used by the individual on their home network is no different than the the method used by the Fortune500 and NASDAQ100 on their own networks

A variety of software can be used

Anything from something like socat up to a large proxy server will work

reply


> The NSA is no longer listening because there is TLS everywhere? Sure, and the earth is flat.

I’d be very surprised if they haven’t had several of the root trust entities compromised from day one. I wouldn’t rely on TLS with any of the typical widely-deployed trust chains for any secrecy at all if your opponent is US intelligence.


What about certificate transparency?


TLS is cool for stopping your ISP from MiTMing your traffic (usually to insert shitty banner ads or something).

Otherwise I find it a scourge, particularly when I want to run https over a private network, but browsers have a shitfit because I didn't publicly announce my internal hosts.

There's plenty of traffic that has no need to be encrypted, and where not much privacy is added since the DNS queries are already leaked (as well as what the site operator and their many "partners" can gather).

I'm glad you can get free certs from Let's Encrypt, but I hate that https has become mandatory.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: