Friday, November 26, 2010

The danger of HTTPS-Everywhere

There was a new release of the Firefox extension HTTPS-Everywhere a few days ago. This extension always tries to open an URL via SSL encryption. Well, that's not a bad thing at all, but most people don't know how SSL is actually working.

I had some funny conversations about it already and one came up with the thesis, that using SSL allows you to be anonymous in the net because everything is encrypted.
But that's plain wrong. The only encrypted thing is the content which is sent from server to client and the other way around. The used URL is still visible to the ISPs, the government or whoever wants to play big brother.

It is always very annoying to get links from wikipedia which are artificially blown up by HTTPS-Everywhere because WP doesn't only use https:// but https://secure.*
Why the heck are they using this extension on wikipedia? The content is clearly visible for everybody who knows the URL, and the URL is still visible even when using SSL. Big Brother just has to visit this URL to see what the content of the package was which you got from the server.

Well, there's another thing. Gentoo Forums.
I won't blame Gentoo that they don't use a SSL cert from verisign or another 'trusted' company. But my Chrome always shocks me with a bright red "THIS CERTIFICATE CANNOT BE TRUSTED!! ALARM! INTRUDER ALERT!!" when I click on a link to the forums which i got in a messenger by users of HTTPS-Everywhere. Hey, it is just a forum. Nothing top secret on it. The content is even supposed to be visible for everybody. And again, No, you aren't anonymous there just because you're using HTTPS-Everywhere.

If you really want to be anonymous on the net, get a private proxy which doesn't log the traffic, doesn't forward your IP and which is owned by people you don't know and who don't know you either. Also use a fresh installed Windows XP with IE7 and only standard fonts or you won't be able to hide in the crowd.
But please, don't use HTTPS-Everywhere for anonymity. That doesn't work. You're still trackable. Big Brother will know what you did.

No comments:

Post a Comment