HTTP vs. HTTPS
A Condensation store is often accessed via plain HTTP or its encrypted counterpart HTTPS.
Since all Condensation data is end-to-end encrypted, using HTTPS only has a small impact on security:
HTTP | HTTPS | |
---|---|---|
Exposed data | No | No |
Exposed request and response headers | On network and server | On server only |
Exposed access pattern | Yes | Yes |
Using HTTPS hides the request and response headers from an observer in the network. Using plain HTTP, these headers can be observed by any router.
Request and response headers primarily reveal which objects and accounts are being accessed. This may allow an attacker to guess which accounts are sharing data with each other (working together, communicating with each other).
Headers may also reveal what operating system, web browser or Condensation version a user is using. Some of this information may leak through HTTPS as well, but is certainly more difficult and less reliable to obtain.
From this perspective, using HTTPS is desirable.
However, request and response headers are in any case available on the store server, and accessible by their system administrators. Hence, if a user does not trust the store server more than the network in between, using HTTPS is pointless.