Skip to content

Re: debunking myths about HTTPS

Noted by on his . Last updated . Changelog

A “more sophisticated” scenario can consist of manually routing all the victim’s traffic to an external server. The attackers can also create fake networks or routers. In other words, it’s possible to act as a proxy under certain conditions without any knowledge from the victims who wouldn’t change their behavior, as nothing would look wrong.

This attack allows intercepting cleartext communication. However, simply proxying traffic does not allow decryption.

Decryption as you describe requires compromising the host OS, which would allow an attacker to do anything a user can. A compromised OS has no expectation of security, regardless of which measures you put in place.

A better attack would be to add an additional CA to the OS and browser CA bundles. This would let an attacker add their own TLS certificates to sites without getting rejected by the browser. However, once again, this requires an attacker to compromise the host OS.

The only convincing HTTPS-compromise mentioned is interception of an unencrypted initial connection before it’s upgraded to HTTPS; this is a valid concern for sites not on the HSTS-Preload lists or lacking HTTPS service-binding DNS records.

A better argument would be that TLS doesn’t normally encrypt Server Name Indication (SNI) or obfuscate record sizes; SNI-sniffing or traffic analysis could reveal domain names or pages, respectively.

I’d say that HTTPS combined with random record padding and Encrypted Client Hello (TLS 1.3 extensions) and a form of encrypted DNS (DoT, DoH, DoQ) can offer pretty good privacy protections against a MITM: the only reliable information leakage with these measures in place is at the IP layer. IP addresses are less specific than hostnames, since one IP can correspond to multiple hostnames.