recentpopularlog in

po : https   26

FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.
A simple zero-config tool to make locally trusted development certificates with any names you'd like. - FiloSottile/mkcert
security  tools  ssl  https  localhost  tls  certificates  pki  root.stores  golang  testing 
9 weeks ago by po
Intrexa comments on Once your internet history is up for sale, insurance companies be like...
When I type into my browser https://squatcobbling.com/crying, wtf even goes on here? My computer goes "Alright, I need to talk to the computer at squatcobbling.com, but I have no clue where that is. But I know a guy who does". Your computer checks DNS for the IP.
WTF is DNS? A lot like an address book, and just like an address book, there are tons of different domain name *servers out there. By default, you would be using the DNS provided by your ISP. You can tell your computer to use a different DNS, by Google or Dyn or whomever. So when your computer reaches out to the DNS server and says "I'm not here for judgement, but I need to know where I can find squatcobbling.com", that DNS server is totally judging you and whichever organization runs it can totally log that your IP requested that domain. That's just the domain, and that's just the DNS server.
Alright, your computer has the IP address it needs, now we need to actually talk to the server. We said https, so we need to start the https protocol, we craft a nice little network packet saying you want some encryption, and send it to squatcobbling.com. You take that packet, and hand it to your ISP, and say "Deliver this for me", and your ISP now knows your are creating a connection.
Squatcobbling.com receives your request for some encryption, and hands you back their public SSL cert. It's basically a nice little business card that says "Hi, my name is squatcobbling.com, and if you encrypt something using this public key, I can decrypt it". You get that cert, and go "Look at that subtle off-white coloring. The tasteful thickness of it. Oh, my God. It even has a watermark." but you don't know if it's legit or not.
Fortunately, you know a guy, the certificate authority (CA) that issued the card. So, you reach out to the CA and go "Hey, is this legit?" The CA looks it over, and goes "Squat cobbling? Really dude? But yeah, this is legit". The CA knows you were checking out squatcobbling.com.
Cool, so it's legit. You do some more SSL back and forths with squatcobbling.com to establish the SSL connection that aren't really important here. Once you do that, it's time for you to actually get what you want. So you write up a little note:
GET /crying HTTP/1.1
Host: squatcobbling.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Perfect! You encrypt it using the SSL connection you established. It's jumbled, the only 2 people that can read the jumbled message are squatcobbling.com, and you. And everyone at the NSA. You take that encrypted message, make a nice little network packet, label it "Squatcobbling.com, and hand it to your ISP saying "Hey, can you deliver this for me?". They try and peak inside, but it's encrypted at this point, they can't. All the know is that you are communicating with the site, not what page you are actually going to. That would be really embarrassing.
So, when squatcobbling.com gets the packet, they decrypt it, see your GET request is for their /crying section, and responds with that. It encrypts the response, and sends it back. Your search terms will always be in this encrypted section, and will not be readable by your ISP. In the case of nesting directories and query string parameters, the GET request would look like:
GET /crying/nude?length=long
So, to recap, with HTTPS, all you leak is the name of the server, and you leak it to the DNS server, your ISP, and the CA. With HTTP, you leak everything to your ISP, and you should also assume someone could be eves dropping somewhere, and that that it's possible you're not even talking to the server you requested and want.
dns  explanation  https  reddit 
march 2017 by po

Copy this bookmark:





to read