The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Does SSL (using HTTPS://) actively reduce your anonymity?
Professor_99
post Apr 1 2015, 04:52 PM
Post #1





Group: Members
Posts: 2
Joined: 1-April 15
Member No.: 22,443



Does SSL (using HTTPS://) actively reduce your anonymity?

First, let me say that I understand that SSL is not a technology for anonymity. My question is does it actively destroy your anonymity?

The way I understand it is that basically your browser and the HTTPS site exchange PUBLIC KEYS and use them to encrypt traffic between each other.

My question is, what PUBLIC KEYS am I sending? Is it randomly generated each time or is my PUBLIC KEY stored on my system that is always used when going to an HTTPS site?

The anonymity concern I have is the following process:

1. On 1/1/15 I visit HTTPS:Google.com, For simple purposes lets say my PUBLIC KEY is "101" and I am using my own ISP.com to connect to the internet. Google.com at this time could easily have a database to record those three pieces of information (1/1/15 12:00am, 101, ISP.com)

2. On 1/2/15 I am using some sort of proxy to protect my anonymity. I visit HTTPS:Google.com. My PUBLIC KEY is still "101" and now it shows PROXY.com as my connection. Google records (1/2/15 12:00am, 101,PROXY.com)

As you can see.. If my PUBLIC KEY is a static value, Google could use it to identify me by searching for that PUBLIC KEY and listing all used ISPs. If it is a static value across all sites I visit, it is even more destructive to anonymity.

Am I not understanding this correctly?

Thanks.

This post has been edited by Professor_99: Apr 1 2015, 04:54 PM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Apr 1 2015, 05:06 PM
Post #2


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,716
Joined: 9-August 06
Member No.: 6



Not my forte, this, but if I've got it half right the browser creates a session key that's only used for that session. But don't trust my word for it. As said, not my thing.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Apr 1 2015, 07:14 PM
Post #3


.
********

Group: WDG Moderators
Posts: 9,630
Joined: 10-August 06
Member No.: 7



I don't know either, but there are many other ways to identify a browser (even if cookies are disabled and the IP changes), see e.g. https://panopticlick.eff.org/ and https://panopticlick.eff.org/browser-uniqueness.pdf
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Professor_99
post Apr 2 2015, 06:04 AM
Post #4





Group: Members
Posts: 2
Joined: 1-April 15
Member No.: 22,443



Thanks Pandy... I was missing the term "Session Key".

Now I understand how it works, and no it does not hurt anonymity.

Public/Private encryption uses asymmetric keys, and these keys have to be fairly large for strong encryption (1024 bit is the minimum recommended).. The larger the key, the more processing is needed to do encryption.

Public/Private keys are useful because you can share the public key with anyone and yet only the private key can decrypt the data.

Symmetric keys are single keys that can be used to both encrypt and decrypt data. They have the advantage of being small (strong encrypting possible at 128 or 256 bits) but disadvantaged that anyone that knows them can both encrypt and decrypt the message.

SSL uses both asymmetric and symmetric methods to encrypt traffic.

1. The HTTPS Server sends a copy of its asymmetric public key to my browser.

2. My Browser creates a symmetric session key (random and created for just this one session) and encrypts it with the server’s asymmetric public key and sends it to the Server.

3. Server decrypts the asymmetric public key with its asymmetric private key to get the symmetric session key.

4. Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because only the browser and the server know the symmetric session key, and the session key is only used for that session. If the browser was to connect to the same server the next day, a new session key would be created.

So in that way my session key is not useful to track me, as it is randomly generated per session.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Apr 2 2015, 06:41 AM
Post #5


🌟Computer says no🌟
********

Group: WDG Moderators
Posts: 20,716
Joined: 9-August 06
Member No.: 6



Just for the reference, I googled a little and found this page almost understandable.
https://www.digicert.com/ssl-cryptography.htm
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 28th March 2024 - 05:34 AM