5

I read this article which says github is being blocked in Russia because a single controversial page hosted on it can't be blocked because of HTTPS.

So I'm trying to determine if that implies that my local sys-admin can't keep track of my browsing history....

Though domains name would be visible to anyone in the middle, are the other parts of the requested URI encrypted, or can the ISP (or whomever is in the middle) see which folders/files on the domain I've requested (or are they encrypted)?

Ƭᴇcʜιᴇ007
  • 111,883
  • 19
  • 201
  • 268
anuj_io
  • 153
  • 5
  • possible duplicate of [How much information can my ISP see?](http://superuser.com/questions/231991/how-much-information-can-my-isp-see) – Ƭᴇcʜιᴇ007 Dec 04 '14 at 20:08
  • My question is bit different, I want to know if the URI is also encrypted via HTTPS or just the content exchanged required via means of URI. – anuj_io Dec 04 '14 at 20:14
  • 1
    Russia is just taking the easy way out in blocking the content they want to ban. If they attempted to block by a single url the project in question could simply change redirect a domain to the github website and/or change their project name and thus the url would be different. – Ramhound Dec 04 '14 at 20:25
  • I don't see a reason why URI portion of URLs can't be encrypted. If GET requests can be encrypted then a direct link hit (which internally is a GET request in itself) encrypt the URI portion? – anuj_io Dec 04 '14 at 20:26
  • Great ! Just downvote the question if you can't justify your answers. – anuj_io Dec 04 '14 at 20:36
  • 1
    @tea_totaler - voting is anonymous. You can't possibly know who downvoted your question. So making a comment about the downvote is a little silly. – Ramhound Dec 04 '14 at 20:39
  • @^ I didn't point to anyone individually, only thing I am saying is that the person who downvoted it should have justified it. – anuj_io Dec 04 '14 at 20:41
  • They don't have to, it's anonymous for a reason (it wasn't me BTW). – Ƭᴇcʜιᴇ007 Dec 04 '14 at 20:43
  • I agree they don't have to but that doesn't mean they shouldn't. – anuj_io Dec 04 '14 at 20:45
  • I've tried to clarify your question a bit for future visitors, if you don't like it, feel free to roll it back. :) – Ƭᴇcʜιᴇ007 Dec 04 '14 at 20:47
  • 1
    Note that in absence of a certificate substutition attack (MITM) an administrator can observe all the Layer 3 feilds in your packets, and determine what server you are contacting. They cannot however see the rest of the url, so they can tell what server you contacted, but not what you did there. HTTP/HTTPS is a layer 4 protocol, so without substituting the cert, they can't see everything. that said, they control the hardware between you and the server, so it is possible to either replace your host cert, or replace the certificate transparently as the circuit is being created. – Frank Thomas Dec 04 '14 at 20:53
  • I totally understand the case of tracing back the server however I failed to put it properly if middle-man can trace the URI part of my HTTP request. – anuj_io Dec 04 '14 at 20:55

2 Answers2

6

Your local sys-admin can track your browsing history if they can get you to install a certificate on your (or their machine) - in which case they can man-in-the-middle your connection.

If you have your own device and are sure they don't have a certificate, the best they can do is get a feel for what sites you are going to by looking at the IP address of the sites and the traffic profile (ie lots of traffic could imply downloading of videos), and IP addresses of big sites normally have reverse lookup. They can also use DNS records to find the DNS you requested if you are using their DNS servers which is likely.

If the sysadmin does not have access to your machine to install the cert or local software, they can't use the network to see what page(ie folder) you are going to in the site as this is encrypted (This information is sent in the header of your request, which happens after SSL is negotiated).

Source: I am a system administrator who handles sites with HTTPS and from time-to-time manually do HTTP / HTTPS requests to check corner cases.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • I understood your point & thanks for the answer. Just a quick clarification, this means that even my ISP won't be able to see the URI, right? – anuj_io Dec 04 '14 at 20:52
  • There are ISP level attacks on HTTPs. Several ISPs have been found to employ devices that detect an HTTPS handshake in progress. They then proxy the connection transparently, by replacing your cert with their own, to send on to the server, and fake a handshake back to your system, so the tunnel is open as it passes through their device. the site thinks its taking to you, but its actually handshaking with the ISP, and you think you are handshaking with the server, but its actually the ISP that you are connecting with. https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html – Frank Thomas Dec 04 '14 at 21:01
  • more details here: http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf – Frank Thomas Dec 04 '14 at 21:05
  • 4
    Correct - provided you don't ignore certificate warnings your ISP can't see the traffic. @FrankThomas answer is correct but leaves out that if your ISP is intercepting the traffic this way you will get the same cert warning unless they have managed to get their cert into your browser - It is believed that the NSA may be able to do this kind of thing by having compromised CAs , but your ISP probably cant do this. – davidgo Dec 04 '14 at 21:14
  • Also in principle the size of the encrypted data can leak some information about what URLs you visit. Simplified example: suppose the ISP knows that the site you visit has on it 1000 small pages and one large downloadable file containing illegal/subversive/dissident information. Suppose you hit the site for 10M of data in 2s. Then you *probably* just downloaded the big file. Of course github has very many files, even if Russia was technically equipped to use this technique (a) it might not get a clear signal, (b) by the time it IDs the file it's already been downloaded. – Steve Jessop Dec 04 '14 at 22:17
  • ...I don't know how common practical attacks using this kind of technique on HTTPS traffic are, though. I vaguely recall it's been used against encrypted VBR streaming audio, at least in the lab. Turns out some phonemes compress better than others, so in the best case (for the attacker), the bitrate isn't too far off a straight substitution cipher for the text being spoken! – Steve Jessop Dec 04 '14 at 22:21
  • @davidgo The NSA already has root certificates installed on most computers anyways, they wouldn't need to compromise another CA. – Thebluefish Dec 05 '14 at 00:59
  • @Thebluefish Can you advise your evidence for this? I accept that they almost certainly have compromised CA's (probably even to the point of being able to demand they generate keys and not talk about it), but I've not seen evidence of the NSA actually own a CA. – davidgo Dec 05 '14 at 06:28
2

So my does it imply that even my local sys-admin can't keep track of my browsing history too?

No, not necessarily. A sysadmin can perform a man in the middle attack if they put a custom certificate on the client computer.

If you click on the lock icon in the address bar of a secure site at home, it will say who the certificate issuer is and what the private key is. If you perform the same action at work and it says the same information - you are probably safe. If it does not, that's a huge red flag that someone may be intercepting your traffic.

As you said, they do know what websites you are visiting because of DNS - just not what is being transferred.

EDIT: To clarify, because of dns they know what SERVERS you are visiting, but not the entire URI.

Arthur
  • 1,137
  • 6
  • 13
  • I so want to believe you but is their any online citation which confirms the same? – anuj_io Dec 04 '14 at 20:39
  • Sorry no. I've done this before for purely experimental purposes so i know it's possible, the best article would be wikipedia man in the middle attacks. – Arthur Dec 04 '14 at 20:43
  • I have read it so many times but nowhere it talks about the URI. :( – anuj_io Dec 04 '14 at 20:43
  • 4
    Grab wireshark, start a recording and watch the process between a standard http:// vs a https:// connection. I know this isn't a super helpful answer, but It's fun to watch and at least this way you can confirm what i'm saying with your own eyes - Plus, wireshark is a useful tool. – Arthur Dec 04 '14 at 20:45
  • Hi5 man! This is what I am talking about. I will definitely try out Wireshark. – anuj_io Dec 04 '14 at 20:47