|
|
|
|
|
|
by handsomeransoms
4287 days ago
|
|
|
> You are implying something fundamental: that the encrypted traffic could be adequately analysed for insight without the need for decryption.
> Yet to do so would be to defeat SSL itself, or at least to declare it as insufficient to adequately protect secrets.
This is possible through HTTPS traffic analysis, see [0] and [1] for starters. Of course, it's much easier for Cloudflare to do analysis for DDoS protection if they have access to plaintext.Whether this means that SSL is, as you say, "insufficient to adequately protect secrets" is an interesting discussion to have. [0] http://arxiv.org/pdf/1403.0297.pdf [1] http://blog.ioactive.com/2012/02/ssl-traffic-analysis-on-goo... |
|
|