Hacker News new | ask | show | jobs
by dmitrygr 1208 days ago
> even HTTPS leaks the requested URL

It does not. In the olden days the host name was leaked, but with SNI even that is gone. Anything past the first "/" is never and was never sent in plaintext in HTTPS
3 comments
cperciva 1208 days ago
Most public web sites leak information about page accesses to anyone who can count bytes.
link
teaearlgraycold 1208 days ago
What kind of attack are you describing?
link
cperciva 1208 days ago
Count how many bytes of TCP traffic you see. Measure the size of each web page on the (public static) website.
link
fmajid 1207 days ago
The host name is still leaked, SNI is not encrypted and ESNI is still not mandatory in TLS 1.3.
link
2h 1207 days ago
> host name was leaked, but with SNI even that is gone

nope, you can still see it perfectly fine:

https://tlshello.agwa.name/

please don't spread misinformation.

link
dmitrygr 1207 days ago
ESNI*
link
2h 1207 days ago
OK, now name at least two public servers that use that. I will wait...
link