[sf-lug] (mis)information [was: Re: https hack]

[Michael Paoli]

> From: "Asheesh Laroia" <asheesh at sandstorm.io>
> Subject: Re: [sf-lug] misinformation [was: Re: https hack]
> Date: Tue, 23 Aug 2016 00:11:47 -0400

Yes, good points.

> As for the rest of your comment, Michael:
>
> On Tue, Aug 23, 2016 at 12:06 AM, Michael Paoli <
> Michael.Paoli at cal.berkeley.edu> wrote:
>
>> I've certainly got to agree with others, that some of the
>> misinformation that some of the "tech press" puts out
>> is quite appalling - and that probably applies double or
>> more to security related articles.
>>
>> For example this one:
>>
>> To: sf-lug <sf-lug at linuxmafia.com>
>>> Subject: [sf-lug] https hack
>>> Date: Sat, 30 Jul 2016 10:01:57 -0700
>>>
>>
>> New attack bypasses HTTPS protection on Macs, Windows, and Linux<
>>> http://arstechnica.com/security/2016/07/new-attack-that-
>>> cripples-https-crypto-works-on-macs-windows-and-linux/
>>>
>>
>> The article starts of with, very first sentence of the very first
>> paragraph:
>> "A key guarantee provided by HTTPS encryption is that the addresses of
>> visited websites aren't visible to attackers who may be monitoring an end
>> user's network traffic."
>
>
> I agree that this is sloppy, confusing writing - domain names for HTTPS
> requests are already exposed, and IP addresses *certainly* are already
> exposed by TCP/IP underneath HTTPS.

Yes, I did realize as I went over that, that the intention might be a bit
different on the possible interpretations of "address" - but at best it's
very sloppy on that ... and I didn't feel like reading an article that
at best, got off to a very sloppy start.  :->

And thanks for the (much better) pointers, and clarifications.  :-)

> Good further reading for those who want to learn more:
>
> - https://https.cio.gov/faq/
>
> -
> http://stackoverflow.com/questions/8858102/with-https-are-the-url-and-the-request-headers-protected-as-the-request-body-is