What does https do exactly?

>And is it possible that I'm visiting a website over https, but it loads stuff over http?
No.

>Like if I'm visiting a torrent site, is it possible that my plausible deniability gets broken by "office_2010_activator_29839032.torrent" being downloaded over http without encryption?
Yes.
>Would there need to be a specific attack for that to happen, or even my ISP can see all the files loaded without encryption?
Anyone can see HTTP Traffic.

>No.
This isnt necessarily true. You can have mixed content. There is even a setting in umatrix to forbid mixed content. Smart https has a similar setting.

Ah thanks for the info.
developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

yes exactly.

Everyone can see the domain you're visiting, whether you're using TSL, SSL, or whatever encryption method since the web servers NEEDS to know which site you're visiting due to the way the http protocol works. The data, on the other hand, is a whole other story.

>pic related
The "Client Hello"/handshake before the encryption method begins.

Attached: https.png (570x525, 41K)

TLS*

Do a web search for diffie-hellman key exchange to see how they avoid mitm attacks.

If you use https, and it actually works, then anyone else can only see the domain name.
For example, if you browse this thread with https, they could only see boards.Jow Forums.org .
https protects from others seeing the g/thread/67243445 part of the URL, and the data transferred.
It also prevents someone from modificating the data that is sent or received.

Oh I forgot: https also makes sure the server you're communicating with is who it pretends to be. So you're not connecting to a fake Jow Forums server for example.

Protip for everyone itt: Install HTTPS everywhere to force all websites that support HTTPS to actually use it. Some websites support HTTPS but don't use it by default, such as Jow Forums. This frustrates the NSA.

Protip if you hate the NSA:
Enable HTTPS-only mode in HTTPS-everywhere, to prevent any HTTP-websites/requests being processed in your browser. This way all your internet-traffic is encrypted and NSA can only ever see the domains you are visiting. This angers the NSA into oblivion because they can't see shit. It does break some websites, but fuck those shitty old HTTP-only websites, 99% of websites support HTTPS nowadays.

It prevents you, the user, from actually knowing what google analytics, google adwords etc. are sending back to google servers. Can't look into encrypted packages anymore.

Feeling safer yet?

>not without blatantly making it obvious that they're trying to MITM you by breaking the certs
Depends on who you are, an intelligence agency might MITM by using proper certificates.

While the encryption may work, certificates are laughably easy to get nowadays, seeing that green padlock isn't a guarantee that it isn't a phishing site.

OP here.
Thank you very much for the useful information.
I appreciate it.

That's SNI extension. it's unfortunate, but was needed to remove the requirement that each tls enabled domain be on it's own unique IP

>What does https do exactly?
>I know it encrypts the communication between me and the server, but in practical terms, what difference does it make?
>Can any MITM see which websites I'm visiting?
>Can the ISP tell which pages and which content I'm downloading, or only which server I'm connecting to?
>Like, if I go on YouTube, can the ISP (or anyone connecting to my network) see that I'm on YT and which videos I'm watching?
en.wikipedia.org/wiki/HTTPS

Since this is a related thread.
If I use free VPN/ Proxy/ SOCKET, does this means they can bypass the SSL encryption og HTTPS?

Attached: 1510100616446.jpg (960x540, 58K)

>And is it possible that I'm visiting a website over https, but it loads stuff over http?
Yes.

>And is it possible that I'm visiting a website over https, but it loads stuff over http?
some websites - the login page, or other critical pages where sensitive requests are sent, are https then they'll switch to http for everything else. Not sure exactly why this is, maybe they are too cheap to buy certs for other hosts?

It encrypts your connection from your computer to the server. So it protects you against some man in the middle attacks and spying.

Technically no, becuase it is E2E encryption between your browser and the server. FYI most servers and browsers use tlsv1.2. SSL is slightly vulnerable to cbc and padding attacks.

They would either have to spoof the cert, in which case your browser will warn you or downright not allow you to visit the site if its HSTS, or they have to downgrade the request to a weaker encryption like ssl and then use padding attacks to decrypt the ssl data.

It does more than just end-to-end encrypt your communications, it also guarantees through a certificate authority that the site you're communicating with really is who it claims to be.
en.wikipedia.org/wiki/Public_key_certificate#Certificates_and_website_security

Link?

HTTPS encapsulate the HTTP request with TLS encryption.

When you connect to boards.Jow Forums.org/g/, you make a
"GET Jow Forums" request to the "boards.Jow Forums.org" server.
The requests (GET, POST, the headers, the parameters...) are end-to-end encrypted, while the targeted server (domain) is still visible for obvious reason (routing, DNS and shit)

What attacks can one that uses HTTPS be susceptible to?
For example, if someone broke into my house and stole my router, what info can he find on it (assuming it's an average router with default settings)?

Little is stored on the router itself, except stuff like authentication to ISP depending on protocols, wireless settings and creds,, portwarding rules, dynamic DNS settings etc. Your home router won't be logging each visit to Jow Forums and PornHub unless you have flashed custom firmware and got some hardcore logging going

you can't MITM with HSTS
you can see the website domain, you can't see anything after the first /
so
they know you requested boards.Jow Forums.org

nothing else
also if you use dns proxy they can only see the IP address of where you are going, so assuming multiple domains or sub domains are hosted at the IP they have no idea, and if it's cloudflare they have no idea.

this. comcast does it frequently. esp if you torrent something they will give you popups on every site you visit saying you downloaded something bad.

This is against net neutrality

Attached: 1381706798933.png (286x350, 32K)

Do they want customers to leave them?
My ISP would never do such a thing because they actually value the money I send them every month.

nobody will leave them, there are no other options in many areas.
they've done it for like 10 years.

Smart https is better. It doesnt use a predefined list like https everywhere. Smart https also has better settings

net neutrality is liberal garbage

>I prefer to be fucked in the ass by corporations than having right s
Net neutrality is not a "liberal" thing, it's just common sense.

Not if you use an SSH tunnel.
They can see my computer is connecting to another computer somewhere using a common encrypted port used for regular everyday traffic, but they can't see anything else.

Fuck off shill

>Your home router won't be logging each visit to Jow Forums and PornHub
This is factually inaccurate, it depends by brand. Netgear in particular has a log you can read from the admin console.

>I am based and redpilled unlike all those sheeple and only have sex with my figmas

Do you even know what a figma is

Note that HTTPS does not necessarily save you from people (essentially) inspecting your traffic. whydoesaptnotusehttps.com/