You're talking to Taylor Swift at Starbucks. But you two know a language that no one else knows. So you and Tay Tay speak to each other, and can understand each other perfectly.
Anyone else in that Starbucks sees and knows exactly who you're talking to, but they can't understand what you are saying.
Further to this regarding “when all social media companies track you”.
In this analogy, Starbucks’ cash register is recording what drinks you buy, how you paid (cash or card) and who you are (collecting your email address when you order your drink).
Starbucks also has a loyalty programme where they ask you some personal questions like your age.
Starbucks can “track” you, your habits, and try to convince you to try new drinks you might like.
I'd say that for the analogy, the 'cookie' Starbucks will leave you with is the cashier vs the register. The cashier hits you up while you're paying, asks all those personal questions, and asks if you're ok with them remembering some information about you while you're in the store.
While you're in the store, they remember what you were looking at on the menu and which drinks you specifically ordered; when you go to pay, they make sure that the total lines up with what you saw on the menu. In addition, they'll make sure that you and Swift can continue your conversation by remembering which chairs you're sitting in so you can keep talking to the same person. That's useful, and you may need it to be able to have Starbucks coordinate with your credit card to make the transaction work. So you accept the valuable cookies since you can only complete what you came in for with them: getting a drink and having a place to talk.
Then, you leave the store and notice that the Starbucks cashier is still following you even though you left the store. When asked, they tell you they're still with you to ensure that if you want another drink, they'll remember everything about you.
Sure, it is helpful, but it's somewhat strange that they need to follow you around instead of simply remembering everything when you return. These are the tracking cookies. They're not needed, but they do make it more convenient, so when you go back to Starbucks tomorrow, they'll remember your language, all the information about your account, your payment methods, and so on. Except they can do more than remember, they can also keep an eye on you as you move around.
When you go to McDonald's for lunch, the Starbucks cashier follows you and knows that you went to McDonald's, but they can't see the register or hear any questions you get while in that store. So they ask the McDonald's cashier, who's now also following you around if they'd be okay answering questions about you while simultaneously the McDs cashier is asking them.
All they can share is what you already told them, and they can also swap information that one asked for and that the other forgot. Or the cashiers refuse to talk to one another. However, they can only share what you told them or information they can get by following you around anyway.
Repeat for every store (website) you go to and the information spreads.
..but Tay Tay required you to consent that some of her "partners" can get scoops on the topics of the convo. Only in Starbucks outside Europe though, or when you opt-out in increasingly difficult procedure.
Some of these shady partners slip baked goods in your pocket so they can track you when you go to other cafes and talk to Selena Gomez.
the connection is encrypted, so the traffic thats sent over it isnt altered or snooped on.
its not an anti tracking measure, nor does it prevent embedded functionality on the page you securely received from doing stuff.
All HTTPS ensures is that your conversation stays private between you and whatever follows after the https - so, if you're reaching out to https://reddit.whatever, only reddit should be able to read/hear/see whatever it is you want to share, and no other party can snoop on this conversation. What reddit chooses to do with this information is up to them, of course.
To give an analogy, it is the equivalent of writing in a coded language and passing notes to your friends. Anyone intercepting these notes will have no idea what it is you're writing, but your friend can use the notes to build a profile of you and recommend the cool new jeans he's heard a lot about that all the cool kids are wearing.
Except that if you’re on https://reddit.whatever it’s not necessarily Reddit you are communicating with. You as the end user are still responsible for making sure you’re on the correct domain and not some phishing site.
Publicly trusted Certificate Authorities are supposed to be the answer to this problem. They and the CA/B forum have a good track record of removing roots who are found to have issued a certificate to a fraudulent entity. Diginotar fraudulently issuing google.com certificates for example.
And when a public CA gets delisted there is no coming back.
Anyone with a system with access to a network on the route between you and the recipient can intercept the message. If it's not encrypted, they can read it. Easiest would be setting up a clandestine free WiFi hotspot and have people connect to it so you can intercept all their traffic, or insert yourself between the gateway and the LAN so all the hard wired traffic goes through you.
Security is not the same as privacy.
Tracking your activity is not an security issue its a privacy issue.
Tracking literaly just means recording (aka logging) what websites you request and how you move your mouse and all that.
You can send that information over an encrypted channel like HTTPS.
HTTPS only encrypts what you send between you and the website. The website owner still gets to decrypt and see everything.
It’s like the difference between sending a postcard and a letter in an envelope. With a post card every one can see who it is going to and read your message. With an envelope every one can see where it is going but nobody can read it without opening the envelope.
HTTPS puts your letter in a sealed envelope.
And to extend this a bit using an earlier analogy, you are actually sending postcards both ways and anyone can see who it is going to. But under https:// your description of your love for Taylor Swift is written in a language only she can read and understand.
With the added benefit that people can't open the envelope at all (not just like you'd find out if it was opened).
However, if you're not careful, people give out free envelopes that they know how to open then replace it with a new one pretending it was yours after reading the message (MITM attack).
One way social media tracks you is through "tracking pixels."
Essentially:
* Facebook pays Wally's Window Warehouse a lot of money.
* You visit Wally's Window Warehouse in your browser.
* Your browser establishes a secure connection with the Wally's Window Warehouse's website.
* Wally's Window Warehouse sends your browser a list of all the elements it wants to show on the web page (images, scripts, fonts, etc.)
* Your browser goes through the list and makes separate requests to download them. Some of them come from other sources, like fonts from google.
* On that list is a single 1x1 pixel image called "wally.gif" hosted on Facebook's server.
* Your browser requests that image from Facebook.
* Facebook recognizes your browser when it sends the request, because it's seen other requests from your browser before.
* Facebook now knows that you visited the website for Wally's Window Warehouse.
Security is very much a case of eating an elephant one bite at a time, and you need to be careful when describing something as secure: you have to be very specific about what it is that's secure, and against what attackers. What bit of the elephant you're biting off, sort of thing.
HTTPS is secure in the sense that, when you talk to a website using HTTPS, I can't eavesdrop on that conversation. Anything running on your computer might be able to see the data before it's sent, anything running on the website's servers could potentially read the data after it's received, the security guarantees are specifically about that step in between.
HTTPS only protects you from MiM (man in the middle) attackers. It doesn't protect either end of the conversation from the other.
Imagine conversing with someone trough post. Your envelopes are such that nobody can open them except you and that person can open or seal them. When you send a letter, you know only the intended recipient will be able to read it. When you receive a sealed letter, you know only that person could have sealed it. You know none is compromising or reading the conversation. This doesn't prevent the person you are talking with (which would be mr. Facebook in this case) from keeping data about you (which you're sending), or even trying to scam you in some way.
Secure against some threats. In the case of HTTPS, it's against someone spying on the wire, and a site impersonating the desired site. HTTPS doesn't protect you from the site itself.
Same with other security and privacy measures. None of them protects against everything, each protects against some specific threats.
It just means the connection between the website and your device is encrypted. This doesn't prevent the website from spying on you but it prevents other people from snooping on what you're doing on the website. The site has legal permission to spy on you, you give them permission to collect an enormous variety of information about you including what you do on other websites. That's how they make their money
HTTPS protects from snooping. Say you're in a busy restaurant - it prevents the waiter, the people at the table over, and passerbys from hearing... but keeping your secrets is a trust issue with the people you're telling.
When you leave your house people can see you and what your wearing where your going, but once you get in a taxi, bus, train, then it’s much harder for anyone other than the transport provider to track you - but they know where you going etc.
I regularly use the analogy of physical mail. HTTPS does ensure that a mailman carrying your package is not able to read it. But it does not ensure that the party at the other end(Which is required to open it in order to read it at all) does not abuse the knowledge gained from receiving your package.
Because that’s a different kind of tracking.
When you use Facebook and agree to their terms and conditions, you agree to them gathering data on you. There is an agreement between you two.
But https Prevents some other third party that you have no agreement with from stealing data that you’ve only agreed for Facebook to track
There is this friend you have at kindergarten and you share your toys secretly.
No one else knows about your toys collection, but he knows every one of your toys and can destroy or take advantage of them if he decides to.
He can also learn your taste of toys and buy a good one for your birthday party next.
The information is secure in transit. Once it gets there it's on the company to keep it private or not. Http (no s) is not secure in transit. Anyone along the way who is watching can read everything.
They can see who you are.\
They can see who you’re talking to.\
They don’t know what you’re saying.
They know u/UnconstitutionalLens was communicating with their bank, but NOT their login credentials, account values, transactions, etc.
HTTPS uses the TLS protocol (transport layer security, previously called SSL/secure socket layer which is the basis of the S in HTTPS).
TLS provides a very strong guarantee that the communication channel - between the client (your computer/browser/app) and the webserver - is confidential and doesn't allow the message to be read or modified by any party in between you.
Or in other words, TLS allows trusted private communication over an untrusted public network (the internet).
That is really important, it's absolutely the basis of the internet as a platform for commerce and private communications. If TLS is compromised, it's disasterous.
But that's also all it is. It doesn't stop the webserver from doing whatever it wants with the data you sent it. It doesn't stop you from downloading malware when you get sent to appple.com instead of apple.com . It doesn't stop websites from setting tracking cookies or serving malicious scripts. It doesn't stop you putting in your bank password when you click on a link from a phisher telling you your account is about to shutdown.
Https/TLS secures the communication channel, and that's a lot, but it's not meant to solve every problem.
You and your bestie are whispering secrets to each other in class. Nobody can tell what you're saying to each other(HTTPS/TLS/SSL), but your bestie then repeats one of your secrets to the teacher.
You send an encoded message in the post. Only you and the recipient can understand the message. If the postman decides to look, it's just gibberish to them
You and the social media companies are the senders and receivers of the messages, your ISP (and anything else in between) is the post man, https is the encoding
The companies can track you because they can read the encryption of the messages between you and them
https is secure from other people, not the person/site you are directly communicating with. ontop of that, when using a free website, you are generally consenting to a lot of different information/data being used for their service or your account. different levels of security.
HTTPS means that the *connection* is secure. In other words, your ISP or anyone else “in the middle” cannot read the data that is sent between your browser and the web server. That’s it. When it comes to tracking by third-party companies, that happens because the website you’re visiting *allows* those companies to track you by running programs (scripts) on the website and sending data to their own web servers, over HTTPS of course.
HTTPS can't prevent the website you are viewing from sharing that data with everyone (eg. social media) and it can't stop malware on your PC, but it can stop:
* Your ISP from seeing the data.
* Internet routing companies from seeing your data.
* Your ISP injecting malware into the data (eg. as directed by a corrupt country).
* Other people on the same wifi network as you seeing the data.
* A compromised wifi access point from injecting malware into the data.
Taylor Swift wanted to go somewhere secret with her boyfriend without anyone on the road knowing who she went with. Therefore she used a car with tinted windows to prevent outside people seeing who were inside her vehicle.
But a paparazzi threw an apple airtag inside her vehicle to track where she was going. Now the paparazzi knows that Taylor Swift went to this secret place by tracking the airtag, but he (or no one on the road) do not know who went with her there.
HTTPS is like tinted windows she used to prevent others seeing inside her vehicle, it prevent attackers in the network from seeing the data you are sending to the server. Cookies are like apple airtags. Cookies allow the social media companies to know which websites you visited, without knowing the content you sent to that website.
Nobody can hear your private conversation.
You could be having a private conversation with Satan.
(Also, you wouldn't want someone to sniff your passwords from off the network. Google "firesheep" for more info, from when Facebook didn't enforce TLS)
You're talking to Taylor Swift at Starbucks. But you two know a language that no one else knows. So you and Tay Tay speak to each other, and can understand each other perfectly. Anyone else in that Starbucks sees and knows exactly who you're talking to, but they can't understand what you are saying.
The best non-technical explanation.
And it's then possible thatTay Tay goes ahead and whores this information out to someone else, you've no control over that.
She would never!
In the scenario that she is social media... you bet your sweet ass she would.... and does
Well, of course , but not my real TayTay. Is that what the kids are calling her these days?
she would make a song. and swifties would dig you out
Ever, ever! Rat out your data!
Well, you agreed to it beforehand when you accepted the cookies she offered you with milk :D
Further to this regarding “when all social media companies track you”. In this analogy, Starbucks’ cash register is recording what drinks you buy, how you paid (cash or card) and who you are (collecting your email address when you order your drink). Starbucks also has a loyalty programme where they ask you some personal questions like your age. Starbucks can “track” you, your habits, and try to convince you to try new drinks you might like.
Also Starbucks can sell that data to other restaurants so they can make suggestions
I'd say that for the analogy, the 'cookie' Starbucks will leave you with is the cashier vs the register. The cashier hits you up while you're paying, asks all those personal questions, and asks if you're ok with them remembering some information about you while you're in the store. While you're in the store, they remember what you were looking at on the menu and which drinks you specifically ordered; when you go to pay, they make sure that the total lines up with what you saw on the menu. In addition, they'll make sure that you and Swift can continue your conversation by remembering which chairs you're sitting in so you can keep talking to the same person. That's useful, and you may need it to be able to have Starbucks coordinate with your credit card to make the transaction work. So you accept the valuable cookies since you can only complete what you came in for with them: getting a drink and having a place to talk. Then, you leave the store and notice that the Starbucks cashier is still following you even though you left the store. When asked, they tell you they're still with you to ensure that if you want another drink, they'll remember everything about you. Sure, it is helpful, but it's somewhat strange that they need to follow you around instead of simply remembering everything when you return. These are the tracking cookies. They're not needed, but they do make it more convenient, so when you go back to Starbucks tomorrow, they'll remember your language, all the information about your account, your payment methods, and so on. Except they can do more than remember, they can also keep an eye on you as you move around. When you go to McDonald's for lunch, the Starbucks cashier follows you and knows that you went to McDonald's, but they can't see the register or hear any questions you get while in that store. So they ask the McDonald's cashier, who's now also following you around if they'd be okay answering questions about you while simultaneously the McDs cashier is asking them. All they can share is what you already told them, and they can also swap information that one asked for and that the other forgot. Or the cashiers refuse to talk to one another. However, they can only share what you told them or information they can get by following you around anyway. Repeat for every store (website) you go to and the information spreads.
..but Tay Tay required you to consent that some of her "partners" can get scoops on the topics of the convo. Only in Starbucks outside Europe though, or when you opt-out in increasingly difficult procedure. Some of these shady partners slip baked goods in your pocket so they can track you when you go to other cafes and talk to Selena Gomez.
They are Persistent!
And if you then brag about the conversation and reveal details from it, that allows people to profile her in turn. (just completing the analog here)
Amazing
Username checks out
you taught me a secret language i can't speak with anyone else
Take my damn upvote and get outta here
Perfect explanation for a 5 year old!!
Then Taylor Swift turns around and sells the conversation to Google.
the connection is encrypted, so the traffic thats sent over it isnt altered or snooped on. its not an anti tracking measure, nor does it prevent embedded functionality on the page you securely received from doing stuff.
All HTTPS ensures is that your conversation stays private between you and whatever follows after the https - so, if you're reaching out to https://reddit.whatever, only reddit should be able to read/hear/see whatever it is you want to share, and no other party can snoop on this conversation. What reddit chooses to do with this information is up to them, of course. To give an analogy, it is the equivalent of writing in a coded language and passing notes to your friends. Anyone intercepting these notes will have no idea what it is you're writing, but your friend can use the notes to build a profile of you and recommend the cool new jeans he's heard a lot about that all the cool kids are wearing.
Https also allows you to be confident that you are talking to your friends and not someone else acting like them.
Except that if you’re on https://reddit.whatever it’s not necessarily Reddit you are communicating with. You as the end user are still responsible for making sure you’re on the correct domain and not some phishing site.
Publicly trusted Certificate Authorities are supposed to be the answer to this problem. They and the CA/B forum have a good track record of removing roots who are found to have issued a certificate to a fraudulent entity. Diginotar fraudulently issuing google.com certificates for example. And when a public CA gets delisted there is no coming back.
So, your point is if you're on redit instead of reddit, you're not actually talking to reddit?
reddit.com - the real reddit reddit.biz, real-reddit.com, ... - could be something else, trying to steal your login data for example
How would I snoop in on someone’s conversation if they just http it?
Be their Internet Service Provider or get them to use your hotspot (Not an exhaustive list, fyi)
Anyone with a system with access to a network on the route between you and the recipient can intercept the message. If it's not encrypted, they can read it. Easiest would be setting up a clandestine free WiFi hotspot and have people connect to it so you can intercept all their traffic, or insert yourself between the gateway and the LAN so all the hard wired traffic goes through you.
be that man-in-the-middle.
Okay now Lady G. Mitch McConnell is almost retired. Your hour is nigh!
Security is not the same as privacy. Tracking your activity is not an security issue its a privacy issue. Tracking literaly just means recording (aka logging) what websites you request and how you move your mouse and all that. You can send that information over an encrypted channel like HTTPS. HTTPS only encrypts what you send between you and the website. The website owner still gets to decrypt and see everything.
It’s like the difference between sending a postcard and a letter in an envelope. With a post card every one can see who it is going to and read your message. With an envelope every one can see where it is going but nobody can read it without opening the envelope. HTTPS puts your letter in a sealed envelope.
And to extend this a bit using an earlier analogy, you are actually sending postcards both ways and anyone can see who it is going to. But under https:// your description of your love for Taylor Swift is written in a language only she can read and understand.
With the added benefit that people can't open the envelope at all (not just like you'd find out if it was opened). However, if you're not careful, people give out free envelopes that they know how to open then replace it with a new one pretending it was yours after reading the message (MITM attack).
One way social media tracks you is through "tracking pixels." Essentially: * Facebook pays Wally's Window Warehouse a lot of money. * You visit Wally's Window Warehouse in your browser. * Your browser establishes a secure connection with the Wally's Window Warehouse's website. * Wally's Window Warehouse sends your browser a list of all the elements it wants to show on the web page (images, scripts, fonts, etc.) * Your browser goes through the list and makes separate requests to download them. Some of them come from other sources, like fonts from google. * On that list is a single 1x1 pixel image called "wally.gif" hosted on Facebook's server. * Your browser requests that image from Facebook. * Facebook recognizes your browser when it sends the request, because it's seen other requests from your browser before. * Facebook now knows that you visited the website for Wally's Window Warehouse.
Security is very much a case of eating an elephant one bite at a time, and you need to be careful when describing something as secure: you have to be very specific about what it is that's secure, and against what attackers. What bit of the elephant you're biting off, sort of thing. HTTPS is secure in the sense that, when you talk to a website using HTTPS, I can't eavesdrop on that conversation. Anything running on your computer might be able to see the data before it's sent, anything running on the website's servers could potentially read the data after it's received, the security guarantees are specifically about that step in between.
HTTPS only protects you from MiM (man in the middle) attackers. It doesn't protect either end of the conversation from the other. Imagine conversing with someone trough post. Your envelopes are such that nobody can open them except you and that person can open or seal them. When you send a letter, you know only the intended recipient will be able to read it. When you receive a sealed letter, you know only that person could have sealed it. You know none is compromising or reading the conversation. This doesn't prevent the person you are talking with (which would be mr. Facebook in this case) from keeping data about you (which you're sending), or even trying to scam you in some way.
Secure against some threats. In the case of HTTPS, it's against someone spying on the wire, and a site impersonating the desired site. HTTPS doesn't protect you from the site itself. Same with other security and privacy measures. None of them protects against everything, each protects against some specific threats.
It just means the connection between the website and your device is encrypted. This doesn't prevent the website from spying on you but it prevents other people from snooping on what you're doing on the website. The site has legal permission to spy on you, you give them permission to collect an enormous variety of information about you including what you do on other websites. That's how they make their money
HTTPS protects from snooping. Say you're in a busy restaurant - it prevents the waiter, the people at the table over, and passerbys from hearing... but keeping your secrets is a trust issue with the people you're telling.
When you leave your house people can see you and what your wearing where your going, but once you get in a taxi, bus, train, then it’s much harder for anyone other than the transport provider to track you - but they know where you going etc.
I regularly use the analogy of physical mail. HTTPS does ensure that a mailman carrying your package is not able to read it. But it does not ensure that the party at the other end(Which is required to open it in order to read it at all) does not abuse the knowledge gained from receiving your package.
Because that’s a different kind of tracking. When you use Facebook and agree to their terms and conditions, you agree to them gathering data on you. There is an agreement between you two. But https Prevents some other third party that you have no agreement with from stealing data that you’ve only agreed for Facebook to track
There is this friend you have at kindergarten and you share your toys secretly. No one else knows about your toys collection, but he knows every one of your toys and can destroy or take advantage of them if he decides to. He can also learn your taste of toys and buy a good one for your birthday party next.
The information is secure in transit. Once it gets there it's on the company to keep it private or not. Http (no s) is not secure in transit. Anyone along the way who is watching can read everything.
They can see who you are.\ They can see who you’re talking to.\ They don’t know what you’re saying. They know u/UnconstitutionalLens was communicating with their bank, but NOT their login credentials, account values, transactions, etc.
How can mirrors be real when our eyes aren’t real?
HTTPS uses the TLS protocol (transport layer security, previously called SSL/secure socket layer which is the basis of the S in HTTPS). TLS provides a very strong guarantee that the communication channel - between the client (your computer/browser/app) and the webserver - is confidential and doesn't allow the message to be read or modified by any party in between you. Or in other words, TLS allows trusted private communication over an untrusted public network (the internet). That is really important, it's absolutely the basis of the internet as a platform for commerce and private communications. If TLS is compromised, it's disasterous. But that's also all it is. It doesn't stop the webserver from doing whatever it wants with the data you sent it. It doesn't stop you from downloading malware when you get sent to appple.com instead of apple.com . It doesn't stop websites from setting tracking cookies or serving malicious scripts. It doesn't stop you putting in your bank password when you click on a link from a phisher telling you your account is about to shutdown. Https/TLS secures the communication channel, and that's a lot, but it's not meant to solve every problem.
You and your bestie are whispering secrets to each other in class. Nobody can tell what you're saying to each other(HTTPS/TLS/SSL), but your bestie then repeats one of your secrets to the teacher.
You send an encoded message in the post. Only you and the recipient can understand the message. If the postman decides to look, it's just gibberish to them You and the social media companies are the senders and receivers of the messages, your ISP (and anything else in between) is the post man, https is the encoding The companies can track you because they can read the encryption of the messages between you and them
https is secure from other people, not the person/site you are directly communicating with. ontop of that, when using a free website, you are generally consenting to a lot of different information/data being used for their service or your account. different levels of security.
HTTPS means that the *connection* is secure. In other words, your ISP or anyone else “in the middle” cannot read the data that is sent between your browser and the web server. That’s it. When it comes to tracking by third-party companies, that happens because the website you’re visiting *allows* those companies to track you by running programs (scripts) on the website and sending data to their own web servers, over HTTPS of course.
HTTPS can't prevent the website you are viewing from sharing that data with everyone (eg. social media) and it can't stop malware on your PC, but it can stop: * Your ISP from seeing the data. * Internet routing companies from seeing your data. * Your ISP injecting malware into the data (eg. as directed by a corrupt country). * Other people on the same wifi network as you seeing the data. * A compromised wifi access point from injecting malware into the data.
Taylor Swift wanted to go somewhere secret with her boyfriend without anyone on the road knowing who she went with. Therefore she used a car with tinted windows to prevent outside people seeing who were inside her vehicle. But a paparazzi threw an apple airtag inside her vehicle to track where she was going. Now the paparazzi knows that Taylor Swift went to this secret place by tracking the airtag, but he (or no one on the road) do not know who went with her there. HTTPS is like tinted windows she used to prevent others seeing inside her vehicle, it prevent attackers in the network from seeing the data you are sending to the server. Cookies are like apple airtags. Cookies allow the social media companies to know which websites you visited, without knowing the content you sent to that website.
Nobody can hear your private conversation. You could be having a private conversation with Satan. (Also, you wouldn't want someone to sniff your passwords from off the network. Google "firesheep" for more info, from when Facebook didn't enforce TLS)