Wikipedia's Switch To HTTPS Has Successfully Fought Government Censorship (vice.com) 170
Determining how to prevent acts of censorship has long been a priority for the non-profit Wikimedia Foundation, and thanks to new research from the Harvard Center for Internet and Society, the foundation seems to have found a solution: encryption. From a report: HTTPS prevents governments and others from seeing the specific page users are visiting. For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square. Up until 2015, Wikipedia offered its service using both HTTP and HTTPS, which meant that when countries like Pakistan or Iran blocked the certain articles on the HTTP version of Wikipedia, the full version would still be available using HTTPS. But in June 2015, Wikipedia decided to axe HTTP access and only offer access to its site with HTTPS. [...] The Harvard researchers began by deploying an algorithm which detected unusual changes in Wikipedia's global server traffic for a year beginning in May 2015. This data was then combined with a historical analysis of the daily request histories for some 1.7 million articles in 286 different languages from 2011 to 2016 in order to determine possible censorship events. [...] After a painstakingly long process of manual analysis of potential censorship events, the researchers found that, globally, Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015.
Re: (Score:1)
Why are you so negative?
Re: (Score:2, Insightful)
Why are you so negative?
I'm trying to provide some counter-balance to unconscious positivity.
More seriously the religious conservatives in those countries who are employing censorship to "protect public morals" (or whatever they imagine themselves doing) do not regard the successful circumvention of censorship as positive. To call an objectively negative effect on a number 'positive,' betrays the tacit liberal ideological bias of the author. Better to call a spade a spade and allow the reader to draw he
Chinese censors *religious*?!?! Are you stoned? (Score:2)
> religious conservatives who are employing censorship to "protect public morals" (or whatever they imagine themselves doing)
Are you by chance stoned out of your mind right now? The great firewall of China is there to block international religious text ideas and other ideas which are at odds with the dictum of the ATHEIST Communist party of China. Exactly the opposite of what you seem to think.
Preaching in China can get you a jail sentence, though in recent decades they've started allowing Buddhist an
'ere (Score:2)
'ere
[Coughing]
Re: (Score:1)
And in the math, they probably didn't. What you're reading, though, is English, where a positive change can be described as positive no matter the direction.
Re: (Score:2)
It's a statistical result being described in English, which can use the English word 'negative' to report the statistical finding objectively, instead of the value-laden (and mathematically inaccurate) 'positive'. That was my original point.
TFS/TFA are about Wikipedia's battle against censorship, the article is simply reporting the story from the POV of Wikipedia. It's not like they'd likely get much in the way of newsworthy discussion from the governments involved. No bias here. Just the story reported as it was heard, from the party making the announcement.
You should sharpen that razor. You need to slice these things a bit finer. :)
Strat
Re: (Score:2)
"Wikipedia's switch to HTTPS had a positive effect on the number censorship events by comparing server traffic from before and after the switch in June of 2015" is a direct quote from the report or the researchers, as opposed to the description chosen by the author.
Uh...how about the *purpose* Wikipedia switched to HTTPS? To avoid censorship, for which a reduction is, in fact, a positive. Stop with the sophistry. It's not intellectually honest, it's simply a way to have your cake and throw it in the trash, but all in your own head.
Strat
Re: (Score:2)
Assuming you are the same AC who wrote "The number went down so that is a negative effect. No need to introduce value-laden descriptors into the math." in the first post:
"To describe an effect on a number which acts to decrease the number as "positive" (since it is referring to an ideological as distinct from a mathematical effect) is value-laden. Liberal bias detected."
Are you seriously arguing that, for example, Ron Clarke's achievement running 10,000 metres in 27m39.4s in 1965, reducing the world record
Delusional (Score:5, Interesting)
Re: Delusional (Score:5, Informative)
It's a little worse than that. Because the url's are different, the Chinese government has blocked the zh.wikipedia.org but not the en.wikipedia.org, presumably because most Chinese people can not read English too a high enough level. They should move the language into the end part of the URL i.e. wikipedia.org/en/some-article
Re: Delusional (Score:5, Insightful)
It's a lot worse than that. Governments as powerful as the U.S. and China have a dozen different ways to snoop on what citizens are ingesting. Remember that snowden slide about "we unencrypt and reencrypt ssl here" bit? Now yes, ssl is like, the first obvious step towards doing things the right way. But Snowden revealed to us that several not so completely trustworthy governments are a dozen steps ahead of that and have been for many years. Time has since revealed that the situation isn't getting better. Now if in 2014 Amazon had gone https only, I might have the faintest hope that we have a realistic chance of seeing a decent path in our lifetimes. But here it is in 2017, and the Amazon quasi-monopoly (AWS holy shit) is cementing the expectation of lack of privacy of much of our purchasing logs. Remember that biblical bit about the number of the beast, it had more than a passing reference to commerce tracking the likes of which we've been living with for many years now.
For a few moments we had hope that someone like Snowden could legitimately turn things around. Now I'm quite convinced it's going to take another Holocaust. No joke. And even then it's not going to get better, it will just regress to something much different with new possible directions for the long term, and perhaps hope that people then will have better learned the lessons of history.
Wikipedia is definitely part of the problem as well as Amazon. There is no good reason why they need to have a centralized infrastructure that NO DOUBT is being tracked WHOLESALE by at least the U.S., Russia, and China. Censorship of the sort this summary talks about is a red herring. China after getting the U.S. to help whitewash the Tiananmen Square Massacre in '89 has so much power over their citizens that they can go ahead and let people have unfettered access to information. People learn that it's smarter not to go choosing to ingest the 'wrong' type of information. The government is quite effective at educating the people over their lifetimes as to what the 'wrong' types of information are.
It's so much worse than you think.
Re: (Score:2)
> For the record both Mozilla and Google have been pushing ahead with stronger sanctions against certificate authorities
While this is helpful for general security, I don't think it's that helpful against targeted snooping. I'd expect Wikipedia's certificates to be stolen from inside their security environment: they're large enough and a source of enough useful trackable information that I'd expect them to be targeted, successfully, by security agencies around the world. Moreover, I would expect agencies
Re: (Score:3, Insightful)
Even when history gives one little reason to trust the spooks; the kooks always have a bad time getting taken seriously, even when they have good evi
Re: (Score:2)
Re:Delusional (Score:4, Insightful)
any decent overlord is using SSL inspection (seemlessly via compromised root certs), so this is a non-issue
Re: (Score:3)
Re: (Score:1)
Modded insightful because that's what my boss overlord does.
Re:Delusional (Score:5, Informative)
any decent overlord is using SSL inspection (seemlessly via compromised root certs)
Cite?
There have been occasional instances of compromised root certs, which have fairly quickly been removed from default trust stores, but I see no evidence of ongoing vulnerability -- excepting when the overlord controls the trust store. That is common in corporate scenarios but not really possible without removing admin rights from users' computers, which is hard for any nation other than North Korea to do.
Re: (Score:1)
You're likely delusional to believe that there are no CA Root or Intermediate certificates in possession of various governments of the world. Let's assume you're rose-colored glasses are right, though... how about all of those domain certificates - along with their private keys - held by Akamai, Amazon and Azure for their SSL-enabled load balancers and content distribution services?
Re:Delusional (Score:4, Informative)
You're likely delusional to believe that there are no CA Root or Intermediate certificates in possession of various governments of the world.
I wouldn't claim there are none, but we have pretty strong evidence that if there are any, they're used sparingly and in a very targeted way. If such unauthorized keys were being used broadly, someone would notice that the public key certificates received by end users are not the same ones being served by the sites.
Re: (Score:2)
The "Great Firewall of China" is an infamous example of such monitoring
The GFC does do some TLS MiTM, based on government CA certificates installed in many browsers. Not much, though, because it's pretty expensive, and not that hard to work around. Mostly the GFC prefers to simply block HTTPS connections to sites the government doesn't want its people to access.
and the AT&T hosted fiver optic taps revealed in the infamous "Room 641A" are the tip of the iceberg of network monitoring accepted as a part of doing Internet business
Red herring. Those sort of taps are exactly what TLS make useless.
Take a good look at the old "NetInercept" box by Sandstorm Enterprises, which does just such monitoring wholesale. The product went off the public radar for awhile since their purchase by NikSun, but it's still in use and still a strong seller to various Nefarious Security Agencies(tm).
https://www.securitywizardry.c... [securitywizardry.com]
No, those boxes aren't very useful to government agencies. They're mostly used by corporations who can push certs to the browsers of all of the corporate
Re: (Score:2)
> I wouldn't claim there are none, but we have pretty strong evidence that if there are any, they're used sparingly and in a very targeted way.
His very words you quoted clearly said there is no evidence of a surreptitious drift-net attack.
The Great Firewall is a drift-net, but it is an open secret that China does so. Anyone technical can look at their certificate chain and see if their communications are being intercepted. And China has no lack of people with the skills needed to detect that tampering.
Instead, what's being claimed is that the NSA is doing some technically undetectable certificate replacement at a global scale, but there is just
Re: (Score:3)
Project Bullrun, Cheesy Name, Edgehill
"Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
https://www.theguardian.com/wo... [theguardian.com]
".. agency has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking."
Re: (Score:2)
Re: (Score:2)
If you look at the detail of the exploits they use, none of them involve getting a root certificate to compromise large portions of the public internet. They are all work-arounds, like malware installing bogus certs on machines, flaws in SSL implementations or intercepting traffic being transferred between servers in an unencrypted state.
Beyond that, they save some HTTPS traffic for offline analysis. If it turns out to be important later, e.g. identified as belonging to a very valuable target, they apply so
Re: (Score:2, Informative)
How would you ever know if the US government went to Verisign and ordered them to create a valid cert for any domain? If you didn't have some form of client cert pinning you would never know.
Even if they could have a duplicate created and signed by Verisign, the public and private key pair would necessarily be different because these are generated at the time of certificate creation using a cryptographically strong random prime number pair generator. Thus, the signature on the certificate would be different than the one that Verisign previously generated for the original recipient. So, even though the new certificate would be "trusted", because it was issued by Verisign, the signature hashes wo
Re: (Score:2)
What this means is that such tampering is detectable by experts. That means if "they" were doing wholesale attacks on all traffic, it would be caught. Since pervasive tampering isn't evident here, that means they probably aren't drift-net trawling random internet traffic. Sure, they may be intercepting certain suspects' traffic, but that's not the same thing as Big Brother watching every conversation.
Re: (Score:2)
... but that's not the same thing as Big Brother watching every conversation.
No problem. They just store all traffic in a huge database and crack it at their leisure later-- if they even need to [schneier.com].
Re: (Score:2)
Have you read how the NSA performs their intercepts? They use a server called FOXACID which is inserted into the network closer to the target than the target's actual desired server. FOXACID responds quicker than the legitimate server and performs the MITM handshake. That's how they can then decrypt the messages.
Saving the packets for later would mean they get nothing.
Re: (Score:3)
An individual user affected by a one-time event probably won't know, but depending on the remote site and browser used by the user, it may be still be detectable, particularly if used on a larger scale.
For example, Chrome comes with information about authorized CAs and intermediates used by Google baked-into the browser itself, and has since 2011. It will refuse to connect to a "Google" site using an unauthorized certificate (unless manually added by an administrator, for things like SSL interceptors used a
Re: (Score:2)
(unless manually added by an administrator, for things like SSL interceptors used at businesses
If you ask me, that's a pretty gigantic "unless" for a browser that claims it's big on security. Admin can get your password and other personal details? No problem, that's acceptable for some reason! I ended up quitting my job over it because the company's policy was to do HTTPS snooping [slashdot.org].
Re: (Score:2)
I agree.
While I appreciate the necessity for manually adding roots (e.g. for internal, corporate resources), I dislike HTTPS snooping and its ability to override baked-in protections against phishing and impersonation of major sites like Google (among many other reasons to oppose such things).
That said, it's one thing for a company to deploy such a system with a corresponding company-owned root across company-owned computers, but another thing entirely for a government to do the same thing to all (or a subs
Re: (Score:2)
Here you go [slashdot.org]. The Chinese government requires all browsers to have their root certificate installed, allowing them to intercept encrypted traffic. Not every government is that technically competent, though.
Yes, that's an example of compromised certificates being identified and removed from trust stores... or in this case blocked via certificate pinning.
Re: (Score:2)
Re:Delusional (Score:5, Informative)
Also except for the fact that ISP can see your destination AND the url request... Yep they can not see it at all.
No. The ISP, etc., can see the hostname in the DNS request and they can see the IP address of the server you connect to, but that's all. The first messages exchanged with the server establish the encrypted channel and then the GET (or similar) request that specifies everything after the hostname in the URL is inside the secure channel. They cannot see the URL.
Governments that wish to censor HTTPS sites with proper TLS configurations and decent CAs really have only one option: to block the sites entirely. The only thin exception to this is if they can inject their own CA certificates in the TLS trust stores. That enables a man in the middle attack. Doing that is easy for corporations on corporate-owned and controlled machines, but harder for governments to do at scale, since it essentially requires taking away the ability to install arbitrary software on the end-user machine.
Re: (Score:2)
Governments that wish to censor HTTPS sites with proper TLS configurations and decent CAs really have only one option: to block the sites entirely.
This is an undesirable measure for a forward-looking regime like China's: they don't want to deny their tech sector etc. access to knowledge sources useful to their profession.
They have an alternative however, they can mirror wikipedia within China and censor their mirror while blocking the international site.
Fork wikipedia (Score:2)
The solution is simple. China et al can simply fork Wikipedia onto their own website. They can then push edits through for all non-controvertial pages, and do what they like with the others. Wikipedia provides a huge ability to rewrite history. He controls the present...
Re: (Score:2)
Doing that is easy for corporations on corporate-owned and controlled machines, but harder for governments to do at scale ...
Meanwhile, M$ is pushing W10 + spyware as hard as they can and forcing updates on all users. What a coincidence!
Re: (Score:2)
Your computer makes a request to the server. The ISP can see which server. The details of the request are within the HTTP GET message that is sent. It is with this GET request that the URL is passed to the server.
When your computer connects via HTTPS the very first thing that happens is an encrypted channel is established. Only then is a GET request sent through with a URL, of which the ISP sees just gobbledygook, they can't even tell if you made a GET request, or a POST, or a PUT, much less that you're acc
Re: (Score:2)
It is completely delusional to think this effectively prevents government censorship as if they can't selectively block content they simply take the sledgehammer approach and ban the site altogether.
That is an option; but only if you want to (quite visibly) be caught interfering with your citizen's access to intriguing trivia, fun facts; and the best friend of last-minute-'researchers' everywhere.
Sure, against somebody who doesn't give a damn, at all; and has no domestic opposition even close to being able to make him do so, "You'll have to ban it all to ban any of it!" will just get you a "Challenge Accepted." and a ban. That cuts down on the list of potential censors, and raises the cost they pay
Re: (Score:2)
Something, something, something... Leftists.
Do you bore yourself? You bore the fuck out of me.
Ah cool - left and right -- what a simple world! (Score:2, Insightful)
Ah cool - left and right -- what a simple world!
Sounds like the Donnie Dark "LOVE or FEAR" measuring stick.
The free market probably was once a "liberal" idea, back in the days of Dukes and Lords who wanted to control all commerce. Segregation is making a huge comeback, is the idea of segregation supposed to be a "left" or "right" idea ... if so why is "the left" pushing it.
So is Smokey The Bear not wanting you to litter a "left thing" ("the environment") or a "right thing" ("use a trash can, lazy ass")? I
Re: (Score:2, Insightful)
Most censorship actually comes from leftists ...
Wrong. Most censorship actually comes from "countries like Pakistan or Iran", that is to say, from religious conservatives.
Re: (Score:2)
Most censorship actually comes from leftists ...
Wrong. Most censorship actually comes from "countries like Pakistan or Iran", that is to say, from religious conservatives.
His assertion that most censorship comes from 'leftists' had me about 90% sure it was a troll. Genuinely idiotic opinion.
Re: (Score:2)
Only purgatory?
Re:Who is responsible for censorship? (Score:5, Insightful)
No. Wrong!
Most censorship comes from *AUTHORITARIANS*. From both sides of the aisle. By their very nature authoritarians want to control what you can do, and that includes what you can read. Regardless of which way someone leans politically, if they are more libertarian they will be against censorship, and/or pretty much telling people how to live their lives. If they are authoritarian, they will want to meddle, and that includes censorship.
Authoritarian left, authoritarian right; they BOTH suck. No matter how you lean politically the most important thing is to remember that we shouldn't be telling people how to live their lives.
Re: (Score:2)
Now, can you tell us the difference, if there really is any, between the two?
The most obvious difference is whether the "means of production" are held in private or state ownership.
Re: (Score:2)
Modulo inverted totalitarianism [wikipedia.org] muddying the waters?
Re: (Score:2)
Modulo inverted totalitarianism muddying the waters?
Like the 'totalitarianism' trope itself, though perhaps not with the same level of intent, it certainly serves to muddy the waters. By which I mean it serves to obfuscate the real radical differences between left and right-wing authoritarian states (at least at their inception).* US political theorists have busied themselves with this task since at least 1945.
[* that is the case of China, at the very least, serves to illustrate the possibility of nomi
Re: (Score:2)
[*By which I meant that following the stunning global victory of neo-liberal ideology in the late 1980s, the ma
Re: (Score:1)
Corporate and state are a distinction without a difference.
Not that this bromide really deserves a reply ... (Score:2)
Corporate and state are a distinction without a difference.
Given it was legislated into existence, the corporate form is itself an expression of state power. Creator and creature is fairly obviously not a "distinction without a difference." Just for a start ...
So tell me what do you make of a piece of legislation which explicitly applies to corporations but does not bind the Crown?
Re: (Score:1)
The government is bound and dominated by corporate funding ('donations', media promotion, etc.), which will go elsewhere if the state does not play ball. Revolution is a big expense, but not out of reach. The wars in the middle east (and Central/South America) are about business, not any silly ideology, which is just a low wage motivator. Also note where most top level government appointees come from. They are juiced in. It should be pretty obvious who rules overs whom. Granted, the cause is voter disintere
Re: (Score:2)
The government is bound and dominated by [state] funding ... which will go elsewhere if the state does not play ball.
Given we are examining your assertion that "[c]orporate and state are [sic] a distinction without a difference" I've taken the liberty of substituting 'state' where you wrote 'corporate'. The sentence, I think you must agree, no longer makes much sense. I put it to you that you cannot coherently write what you just wrote without differentiating between 'corporate' and 'state.'
Re: (Score:1)
They are simply one in the same and inseparable. It really makes no difference which department is in charge. Protection of their wealth from the ravaging hoards is the singular goal.
Re: (Score:2)
They are simply one in the same and inseparable.
Yet the very fact that you could write "[t]he government is bound and dominated by corporate funding," or even think/i> it, betrays that even you do not truly believe this quip. That's before we even come to look at concrete historical questions, such as to which particular corporations Stalin, for example, was beholden for "donations, media promotions etc."
It's a rhetorical flourish, not serious analysis. And while your point might hold some glimmer of
Re: (Score:1)
I'm sorry, what? You expect me to believe that Stalin had the wealth and power to act on his own?
Re: (Score:2)
I'll take that a concession as to the point under dispute.
Cheers.
Re: (Score:1)
Take it as you wish. You still can't differentiate the state from the corporation.
Re: (Score:2)
You still can't differentiate the state from the corporation.
My ability to distinguish them was never in question. What you have demonstrated is that you suffer no particular lack of discernment on that score either.
You've now had 5 more replies than your orignal jive deserved ... enough of your sillyness already.
Re: (Score:1)
You still haven't shown any difference between 'left' and 'right'.
My ability to distinguish them was never in question.
Exactly, but it is based on a totally imaginary premise. The reality is that there is no difference. Authoritarianism is totally and utterly non partisan in whatever fashion you can dream up.
Re: (Score:2)
The authoritarian leftist state (controlled by a small elite, certianly not "the people") owns the means of production.
Which is, of course, the reason I chose to describe it as "state" ownership, rather than public ownership.
Re: (Score:2)
Sorry cut myself off ...
In an "authoritarian right" state, a small elite owns the means of production. This small elite is also the political elite - or they control politicians through massive campaign donations nobody else can come close to matching.
No, this is not generally true. It may the case that there exists some authoritarian right-wing state or states where the industrial elite and the political elite are the same persons. But that is hardly true for authoritarian right-wing states generally,
Re: (Score:2)
When corporations can force people to hand over their wealth under threat of incarceration and/or violence, I'll take your perspective seriously. As much as you might hate Comcast, Monsanto or Koch Industries, they don't send men with guns to your house to kidnap you and throw you in a cage should you refuse to follow their orders.
You also neglect the fact that corporations exist in their current form only because they manipulate government and thus enjoy numerous government-backed special privileges. Eli
Re: (Score:1)
When corporations can force people to hand over their wealth under threat of incarceration and/or violence, I'll take your perspective seriously.
You mean, like this [theblaze.com]?
Re: (Score:3)
Countering Foreign Propaganda and Disinformation Act (2016)
https://en.wikipedia.org/wiki/... [wikipedia.org]
That's nice so are they going to work on (Score:5, Insightful)
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
Except the whole point of HTTPS is that the government only knows you visited https://example.com/ [example.com] and not which page on example.com you visited.
Re: (Score:2)
Except the whole point of HTTPS is that the government only knows you visited https://example.com/ [example.com] and not which page on example.com you visited.
Technically the monitor can't see the whole URL. Monitoring only lets you see that they resolved the name example.com, and that they then visited port 443 on that site. The network traffic is encrypted and you can't be sure if they visited index.html or not.
I realize this is probably what you meant, and is just splitting hairs, but it pays to be accurate.
Re: (Score:1)
If they already have some idea, they can probably confirm it to some degree of satisfaction though. They know the size of the download, and I think they know the size of the image downloads as well. they can deduce the page from that. (At least I believe this is the case - this is Slashdot so someone will tell me if I'm wrong).
Only a temporary solution (Score:5, Interesting)
The only reason this is working for now is because the censoring governments haven't implemented a workaround for it yet. There are various ways they can still censor Wikipedia:
They can use their own CA (don't even think that a country like China doesn't have access to be able to generate certs for any hostnames they want from a trusted CA) to generate a wikipedia.com cert and proxy wikipedia traffic through their own servers censoring it in the process.
They can proxy traffic from http to https and locally block the https traffic so the people in their country are foced to use the http version which is censored.
They can block Wikipedia alltogether by various different means.
Re: (Score:3)
If a trusted CA ever creates a fake certificate so that a party may perform MITM then will leave a positive artifact.
If you can ever find this artifact, then post in on Slashdot and I guarantee it will be first page and it will also result in at least one browser revoking that CA.
Re:Only a temporary solution (Score:5, Insightful)
When China provides not only the browser, but the entire OS that the majority of people there run, don't you think they can insert their own trusted CA into the mix? How hard is it for a country to require users to access essential government services online, and oh look, they might just have their own trusted CA that you have to accept. If the certs are only presented to connections in their own country it becomes that much harder for security researchers to detect. There are so many ways to pull this off it's ridiculous, and countries that can't can still use one of the other methods I outlined.
Re: (Score:2)
When China provides not only the browser, but the entire OS that the majority of people there run,
The *majority* of the people do not run some government provided OS. There's a reason piracy rates are so incredibly high in China.
A few mandated businesses run Chinese mandated OSes. Educational institutions do too. And all of this is completely irrelevant since every idiot on the street has workarounds to blocked content anyway. The Chinese censorship can be best described as "casual".
Re: (Score:2)
The most popular operating system in China are Android and Windows. China doesn't supply a browser; the most popular one is Chrome by a long shot.
http://gs.statcounter.com/brow... [statcounter.com]
Maybe you are confusing them with North Korea?
Re: (Score:2)
Re: (Score:2)
No, removal of http means that someone can no longer connect directly to http on the Wikipedia servers (or more precisely they will be redirected to https). It does not prevent a 3rd party MITM (eg: nation states) from accepting http connections and proxying them to Wikipedia via https. It is the latter that I refer to not the former.
Re: (Score:2)
Perhaps I came across to harsh in my criticism. I did not mean to imply that this is a bad move by Wikipedia, it is certainly a good idea and probably something they should have done a long time ago. What I am criticising is the arrogance of claiming that they have solved the censorship issue. They have not by a long shot.
Hard to believe. (Score:5, Insightful)
For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square.
This is hard to believe. The vast majority of Wikipedia pages contain several images and the file sizes for each of these images is different. When you load a page, the browser first loads the text of the page, then in separate https requests, it loads each of the images, usually in the order listed in the page's HTML. Each page then has a unique signature: the size of the text, and the sizes of each of the images in order. It would be very easy for an adversary to build up a database of these signatures, simply by analyzing their own traffic when they examine various pages. Even if the traffic is encrypted, by looking at the amount of data transferred and the timing, it seems it would be almost trivial to figure out which pages a user was visiting.
Re: (Score:2)
That is a legitimate attack, of course it can be more easily protected against then it can be exploited. Gzip compression (and tweaking the settings behind the compression per stream) of streams or padding with junk data in either direction can be used to adjust sizes of resources.
Also a slight technical correction, a client can make multiple requests per stream. But that does not affect your concern.
Re:Hard to believe. (That's padding's job) (Score:1)
Re:Hard to believe. (Score:5, Informative)
The web client will reuse the connection to the server, and to a 3rd-party observer it will all look like one massive blob of data so that all they could really get out of it is the content length of the whole thing, which due to gzip compression (which is enabled for Wikipedia, I checked), caching of resources, etc, means it will vary considerably from one fetch of a given page to the next.
If that isn't enough, http servers and TLS ciphers themselves actively hide the length of the content they transmit with techniques such as padding and adding additional random bytes to the beginning or end of a HTTPS transmission.
All up, I'd say this vector would be pretty much impossible to exploit.
Since the URL isn't encrypted... WHAT IS THE POINT (Score:1)
https://en.wikipedia.org/wiki/Special:Search?search=dumb+ass
now get rid of the notability censors (Score:1)
I'm fed up of looking up information and seeing it deleted as "not notable". Information wants to be free, and shouldnt be held to arbitary "notability" standards. The day a notability free version of Wikipedia gets popular I will donate again.
Real world effects (Score:4, Informative)
What about wikipedia's own censorship? (Score:2)
And distortion of facts?
blabbermouth (Score:2)
> For example, a government could tell that a user is browsing Wikipedia, but couldn't tell that the user is specifically reading the page about Tiananmen Square.
Well, until now. Gee thanks, guys.
I have to. (Score:2)
So the government(s) "no rikey" encryption hiding user use from them? Windows 10 will take care of that for them. Er... has already taken care of that for them.
use Tor (Score:1)
For people that live in China, please use TOR.
Take your security into your own hands. Don't depend on external sites to protect you. SSL has been compromised in the past, browser exploits do occur and your computer will keep logs of what you visit.
It's much better to use TOR and setup to tunnel through a bridge to get the information you want. Your country will not be able to monitor your information gathering, your browser will erase all logs on exit and wikipedia will not have an IP log of your visit. You
Re: (Score:2)