[sf-lug] misinformation [was: Re: https hack]
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Mon Aug 22 21:06:17 PDT 2016
I've certainly got to agree with others, that some of the
misinformation that some of the "tech press" puts out
is quite appalling - and that probably applies double or
more to security related articles.
For example this one:
> To: sf-lug <sf-lug at linuxmafia.com>
> Subject: [sf-lug] https hack
> Date: Sat, 30 Jul 2016 10:01:57 -0700
> New attack bypasses HTTPS protection on Macs, Windows, and Linux<
> http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/
The article starts of with, very first sentence of the very first paragraph:
"A key guarantee provided by HTTPS encryption is that the addresses of
visited websites aren't visible to attackers who may be monitoring an
end user's network traffic."
I'm sorry, but that's grossly untrue - the article's author loses all
credibility
with their first sentence - I'm not reading it further. And the publication's
editors must be pretty ignorant and/or lazy, to let such a misstatement fly
through as the lead sentence of an article ... uhm, and this is supposed to be
a technical publication? With a leading statement that's that screwed up, I'm
certainly not about to rely upon anything further the author has to say about
anything technical.
HTTPS does nothing to hide traffic analysis, nor source and
destination endpoints of
the connection. It only mostly covers not revealing the actual data
transferred
within. That's it. No more, no less. So, an attacker(s) monitoring
end user's
network traffic, regardless of HTTPS, have fully knowledge of the
traffic sources
and destinations. End of story, end of my reading that article. I
mean geez, there
are kids 12 years old and younger who would know better, and could write more
accurately. Ah, were it Usenet I'd killfile the author for gross technical
incompetence wielded from position of authority.
More information about the sf-lug
mailing list