this post was submitted on 31 May 2022
38 points (100.0% liked)
Privacy
31833 readers
103 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Depends.
First, the content of HTTPS traffic might be encrypted, but some metadata (the domain name or IP address of the destination, for example) is not. You can use just that to do some tracking.
Then, if for example the ISP sees an user visits a particular website with poor privacy practices (let's say, any social media run by big tech), they could do business with them and buy and sell data.
Lastly, but this is tinfoil-hat territory, what is to say they can't leverage the biggest flaw in the global HTTPS infrastructure: they could manage to corrupt a certificate authority into giving them their root certificate keys (or at least into decrypting traffic they start logging and then pass over). This way, the ISP could read the traffic of any user of any service which uses certificates emitted by the corrupted CA. Very difficult that something like this happens because big CAs aren't just ran by 1 omnipotent person, but technically 100% possible.
Side node: Tor solves the trust problem of the global certificate infrastructure: Hidden Services don't work with trust on a CA, they work with just a public and private key system, where the only weak point is the server of the hidden service, storing the private key it uses to encrypt traffic and serve it to clients.
Edit: the server's private key decrypts data the client encrypted with the server's public key, and viceversa, idk why I always mess the 2 things up in my mind :P, but the point remains