twitter https security&privacy from isp & local admin

[ulhvdm]

hi
twitter.com has a feature where you can use their website in https protocol the whole time.
so how much privacy does that provide ?does that hide my twitter identity and what i post from my isp and local network admin?if yes is this guaranteed 100%?

thanks

 

[Jay_2]

yes in basic terms it does hide the post info but there are easy ways to get around that using arp tricks so its not 100%

 

[Biznatch]

Https will encrypt the traffic only. Your IP will still be logged at twitter, so they would be able to figure out who you are if they wanted. Plus your worried about encrypting traffic to a public status announcement site?

 

[C7J0yc3]

HTTPS will only encrypt the traffic between you and the site. The idea is so that if you are in a public place one could not use a Man In The Middle attack against you to get your account information (a good example would be the firesheep plugin for firefox). Now there are ways that even if you are using HTTPS and I am running a MITM attack against you I can still intercept the HTTPS traffic, strip the cert from it and pass then pass the traffic (essentially forcing you from the HTTPS to the HTTP site). There are two problems with this

1: If you suddenly notice that your secure indicator is missing from the URL bar of your browser you will know instantly you have been compromised.

2: If I am passing the traffic back to you securely obviously once I strip the cert from the website I can't pass it on to you, thus I have to pass you a self signed cert which again your browser will alert you to and you will know you have been compromised.

If you are concerned with your public browsing you should tether to your cell phone using a USB cable (prevents anyone from getting between you and the internet) or use a VPN tunnel (encrypt all your traffic, so that again no one but the VPN endpoint is between you and the internet). Personally I run a VPN out of my personal pfSense box so that if I am in a public place I don't trust and my cell signal isn't good I just hop on and have worry free browsing.

If you don't want twitter to know your IP address then you can use a public proxy or VPN tunnel (both will offer protection from MITM attacks, though because you don't control the endpoint you don't know what the proxy or VPN owner is doing with your traffic which is why I don't use public proxies or VPNs. Renting your own VPS is usually cheaper, and you control it). However this is social networking so anonymity isn't really the name of the game here.

 

[ulhvdm]

i don't have a problem with twitter.com knowing my ip .
as stated on my topic , my only concerns are my isp , local network admin(@work) and anyone between my pc and twitter.com.

i live outside north america & europe , somewhere.

 

[C7J0yc3]

In that case if it is at work, I wouldn't trust HTTPS. Depending on the firewall or CMS in place they may have deployed the cert from the CMS appliance through group policy and therefore are inspecting HTTPS traffic, though your PC doesn't alert you because it sees the self signed cert being from a trusted CA.

You may want to consider getting yourself a VPN or using TOR to route your personal traffic.

Of course I should put a disclaimer on this that many companies have very strict acceptable use policies and many times breach of this policy is grounds for immediate termination (I have seen many people terminated for spending all day on facebook etc). Therefore use this information as education, and if you decide to actually deploy any of these methods realize that you could be in for a world of hurt from IT and your manager.

 

[adam30k]

In this case it may be easier to tweet from your cellphone

 

[ulhvdm]

In that case if it is at work, I wouldn't trust HTTPS. Depending on the firewall or CMS in place they may have deployed the cert from the CMS appliance through group policy and therefore are inspecting HTTPS traffic, though your PC doesn't alert you because it sees the self signed cert being from a trusted CA.

.

if they are inspecting HTTPS traffic, it is still encrypted? so they still can't really read it, right?

 

[C7J0yc3]

if they are inspecting HTTPS traffic, it is still encrypted? so they still can't really read it, right?

No if they are doing HTTPS inspection they are decrypting your traffic to inspect it, and decrypting it on the way back to inspect it again. Now this all happens at the CMS appliance so it would be difficult for someone to get in there to say pull a username or password out, however depending on the device and the available logs, it could be possible. You would also fall victom to MITM attacks on your network easier as your PC is expecting domain CA signed certs, not public ones.

As others have said, you may just want to stick to your phone for this.

EDIT: Also know that even if they aren't inspecting HTTPS traffic they are still logging HTTPS traffic. So they may not be able to see what you did on the site however they still can see that you went to https://twitter.com Moral of the story is if you shouldn't be doing it at work, then just don't do it.

 

[jeffmoss26]

'help me do something I am not supposed to do AND not get caught' yeah sure...

 

[ulhvdm]

No if they are doing HTTPS inspection they are decrypting your traffic to inspect it, and decrypting it on the way back to inspect it again. Now this all happens at the CMS appliance so it would be difficult for someone to get in there to say pull a username or password out, however depending on the device and the available logs, it could be possible. You would also fall victom to MITM attacks on your network easier as your PC is expecting domain CA signed certs, not public ones.

is there a way i know that the certs have gone through a third party??

EDIT: Also know that even if they aren't inspecting HTTPS traffic they are still logging HTTPS traffic. So they may not be able to see what you did on the site however they still can see that you went to https://twitter.com Moral of the story is if you shouldn't be doing it at work, then just don't do it.

no, they don't have any problem for us to use anything online, totally free including youtube,twitter..etc, even stock exchange.
so it is only my identity and postings that i want to hide(not just from my employer , but from the isp and any mitm).
and my question also relate to my home internet service as well.

 

[adi]

I assume twitter will still have your homepage URL as something like https://www.twitter.com/myusername, so no, your username isn't going to be hidden just by using https. Same for youtube/etc, since you are signing in to a personalized page, and that page has a unique identifying URL. The same goes for any other profiles you visit.

It might hide what you post, and your password, but not your browsing history. And since they have your browsing history, they could probably tell that you POST'd something, and might be able to track down who/where it was posted and view it.

If they are doing https inspection, if you remove the trusting cert, https (and possibly all) connections will fail. You can look at certs in browser options.

 

[da sponge]

I assume twitter will still have your homepage URL as something like https://www.twitter.com/myusername, so no, your username isn't going to be hidden just by using https. Same for youtube/etc, since you are signing in to a personalized page, and that page has a unique identifying URL. The same goes for any other profiles you visit.

It might hide what you post, and your password, but not your browsing history. And since they have your browsing history, they could probably tell that you POST'd something, and might be able to track down who/where it was posted and view it.

If they are doing https inspection, if you remove the trusting cert, https (and possibly all) connections will fail. You can look at certs in browser options.

No, they won't see the username or the URL. That's all part of the HTTP header, which is encrypted. If the whole session is over SSL it shouldn't leak visits to other pages/etc, but depending on the implementation on the site's end, they might only secure authentication/cookie exchange, not all of the content. Best case a local admin would only see a connection to twitter.com on 443.

Re HTTPS Inspection: You can inspect the certificate chain on the client side and look who the root CA is. If they're doing inspection it'll be something like the enterprise CA for your network or a vendor specific root CA (e.g. Microsoft Forefront TMG HTTPS Inspection Certificate Authority).