[ketralnis]

Theoretical, but:

1. MITM to return fraudulent data ("click here to input your personal data to collect your government cheque from this new federal grant!")

2. Recording browsing activity ("gee Mr. Smith, you sure do spend a lot of time looking up laws about X. Seems like a good thing to blackmail you about")

Working those into actual problems is an exercise for the reader, but they're mostly what https is for

There is also the benefit that HTTPS is harder to mass-surveil, and harder for your ISP to play shenanigans like injecting their adverts and tracking headers into the page (https://www.eff.org/deeplinks/2014/11/verizon-x-uidh)

[Puts]

> Recording browsing activity

Yes, let's protect users visiting public available information from all the malicious eavesdroppers, while still posting all page requests to Google analytics...

[boomlinde]

While protecting visitors' information from malicious eavesdroppers doesn't change the fact that the site they are visiting may willingly be sending such data to a third party, it does prevent malicious eavesdroppers.

There are several levels of trust involved. HTTPS goes a great length to ensure that the link between the client and the server is not compromised. That the service may be malicious itself or unconcerned with privacy is a different problem that you have to solve in some other way. That doesn't make secure connections any less of a problem.

[earleybird]

piwik

[reustle]

> Recording browsing activity ("gee Mr. Smith, you sure do spend a lot of time looking up laws about X. Seems like a good thing to blackmail you about")

Are the URLs in an HTTPS request also encrypted? I was under the impression they weren't.

[theandrewbailey]

They are. The only thing that could be gathered from an HTTPS connection is the IP, and therefore, possibly the domain.

[billyhoffman]

For all browsers made in the last 10 years, SNI is sent as part of the SSL/TLS handshake, so the hostname of the site you are trying to connect to is included in the ClientHello and is visible to anyone that can monitor the network.

[mikecb]

Hostname, but not path.

[brians]

This is a common and dangerous mistake. The size and timing of requests is visible, as is the hostname. It is straightforward to watch a cafe and identify all the requests corresponding to Wikipedia, and within those the Tienenman Square page.

HTTPS is designed to protect secrets, not privacy. That means short random bitstrings, given that the adversary knows you're passing short random bitstrings---TLS just keeps him from figuring out the actual random content.

[enraged_camel]

They are. Think about the fact that a lot of data exchange occurs via URL parameters (e.g. access tokens), so it would be a huge problem if they weren't also encrypted on HTTPS.