Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS allows user tracking by OCSP Servers #507

Closed
Atavic opened this issue Sep 17, 2018 · 6 comments
Closed

HTTPS allows user tracking by OCSP Servers #507

Atavic opened this issue Sep 17, 2018 · 6 comments

Comments

@Atavic
Copy link

Atavic commented Sep 17, 2018

Here the Dailystar site is linked. As site opens, the browser queries an SSL Server (Amazon CloudFront).

The key here is that many SSL certificates have a one-to-one relationship with a specific web site (i.e. not wildcard certificates), so a query to an OCSP responder for a web site certificate essentially tells the certificate issuer that you are accessing that site.

See: zscaler article

As the page is loaded, CSS Files are also fetched through HTTPS via CDN: Cloudfront is queried a second time and also 1e100.net (Alphabet Inc.) is queried. So Amazon and Google know that the user opened this site at a specific time.

DNT respecting sites, if delivered through HTTPS, make DNT useless:
https://cabforum.org/pipermail/public/2017-June/011346.html

IMHO HTTPS must be used only when the request include passwords and other personal information, otherwise big actors will track users browsing with ease.

Related to: #102
@KOLANICH
Copy link

KOLANICH commented Sep 17, 2018
edited
Loading

OCSP stapling prevents this, but server support is required.

@Atavic
Copy link
Author

Atavic commented Sep 17, 2018

I assume stapling goes by browser's session, so it's a mitigation IMHO

server support is required

And admins must enable it, e.g. digicert SSL Certificate Checker says:

Github OCSP Staple: Not Enabled

Related: #267
https://www.grc.com/revocation/ocsp-must-staple.htm

@ArchangeGabriel
Copy link

Yes, HTTPS has privacy implications currently, because of OCSP. But indeed OCSP stapling is solving the issue. It will takes time before this is generalised, but not using HTTPS is way worse: it means any machine on the network between you and the website or service you’re using knows everything you do. I’d rather much prefer some CAs to known that I went to this website at this time than anything I’ve just described.

One other thing you could do is disable OCSP while waiting for OCSP stapling to be widespread. Or disable it only when there is no stapling. But not sure if that is currently possible.

Also regarding ressources delivered by CDNs, this is a different topic. Either disable fonts/js/css (generally or through uMatrix for instance) and/or use Decentraleyes.

@Atavic
Copy link
Author

Atavic commented Sep 18, 2018

Did you really just say that?

I'm no terrorist looking for tutorials about how to build bombs at home, at least I don't look for such information everyday. That said, I personally prefer not to be tracked by multiple actors while looking about personal, but very innocent topics, let's say music, sport or whatever.

@KOLANICH
Copy link

@Atavic, https://habr.com/post/247465/

@Atavic
Copy link
Author

Atavic commented Sep 18, 2018

I see valdikss created a solution here. I'm following his GoodbyeDPI Repository, but I have barely scratched its surface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KOLANICH @ArchangeGabriel @Thorin-Oakenpants @Atavic