Overview API Downloads
NotesHTTP vs. HTTPS

HTTP vs. HTTPS

A Condensation store is often accessed via plain HTTP or its encrypted counterpart HTTPS.

Since all Condensation data is end-to-end encrypted, using HTTPS only has a small impact on security:

HTTP HTTPS
Exposed data No No
Exposed request and response headers On network and server On server only
Exposed access pattern Yes Yes

Using HTTPS hides the request and response headers from an observer in the network. Using plain HTTP, these headers can be observed by any router.

Request and response headers primarily reveal which objects and accounts are being accessed. This may allow an attacker to guess which accounts are sharing data with each other (working together, communicating with each other).

Headers may also reveal what operating system, web browser or Condensation version a user is using. Some of this information may leak through HTTPS as well, but is certainly more difficult and less reliable to obtain.

From this perspective, using HTTPS is desirable.

However, request and response headers are in any case available on the store server, and accessible by their system administrators. Hence, if a user does not trust the store server more than the network in between, using HTTPS is pointless.

Condensation is free and open. You may use all contents of this website under the terms of the CC BY 4.0 license, attributing the work to condensation.io. Source code is available under the MIT license.
This website is work in progress. If you have suggestions, or want to talk about Condensation, please get in touch with us.
Page status: Jan 2022