[johnvschmitt]

Even so, there are weaker links in the security chain: Carriers (mobile equivalent of ISP's)

Your carrier has access to every URL you visit (http or https) and the entire packets sent to/from them (if http), regardless of the password on your phone.

Those Carriers have been MORE THAN eager to bend over backwards & give up the farm to the feds. Just check Verizon, AT&T's history with NSA/FBI/etc.

So, YES, the article is golden, Schneir is golden, but the fact that weaker links exists should still install vigilance & outrage amongst civil libertarians / freedom lovers.

And, even if there are weaker links in the chain, we should still applaud & support strengthening any/all links, while still vigilant/aware of where the weakest link remains.

[philip1209]

They're presumably not MITMing SSL, so they have access to every host you visit, e.g. foo.com, via DNS. On SSL they cannot see the URL - e.g. https://foo.com/secret

[elliotanderson]

If not DNS, then via Server Name Indication (SNI)

http://en.wikipedia.org/wiki/Server_Name_Indication

[DrStalker]

They also know the volume of data being moved and the times it occurred, which could be useful information.

[zaroth]

Often the byte count is enough to determine the URL. It's also a key component of how BEAST et al are able to extract session keys.

[johnvschmitt]

You're absolutely correct. However, when you combine host + time + location data, all at once, on your phone, then your carrier indeed has TONS of data to spy on you, regardless of the encryption on the phone itself.

All good points, & my only point was that while we strengthen each link in the chain, we can't assume we're secure while weaker links exist.

[ansgri]

Do they have full URLs in https? the hosthame, yes, but the GET /path/to/embarassing/page.html is passed within the encrypted channel. Am I correct?

[duskwuff]

You are correct. HTTPS is HTTP spoken over a SSL/TLS secure channel. The contents of the request and response are all fully encrypted.

The hostname is a special case, as it's present in the certificate presented by the host, as well as in the client hello if SNI is in use. (Both of these are unencrypted, as they're sent in the process of negotiating the secure channel.)