This protects you from nothing. It actually makes it LESS secure. Because you now have to enable JavaScript.
The service provider can still decode the info by MitM'ing.
If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.
If not: As we’ve seen with CINNIC, MitM'ing is trivial because CAs give out root certificates far too often, far too easily
This is not to protect you, it's to protect the website.
>The service provider can still decode the info by MitM'ing.
Yes, but as I explicitly mentioned, only if you visit the website. If NSA goes to the website and demands the data, they can't do anything with it until I visit, whereas if it was decrypted, they could. This is a non-trivial difference.
>If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.
Google is not going to risk their entire reputation by abusing their CA. Notice how CNNIC was removed from trusted stores and basically lost their business. Mitm by compromising a CA is far from trivial. Also, certificate pinning can mitigate the CA risk almost completely.
As you’ve probably seen with MEGA, this does not protect the site at all.
Take Megaupload (not MEGA), they had unencrypted data, but complied fully with DMCA and operated fully legally.
Take MEGA, they have to comply with DMCA, too, even though everything is encrypted and they never can decrypt the data, either (MEGA does literally the same as up1.ca)
Additionally, Certificate pinning only works if I visited the site before the MitM started. And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data. (Chrome’s Turbo mode does the same).
Essentially, the site uses JavaScript for showing images without providing any advantage to either the user or the site.
MEGA is only able to comply with the DMCA when the link is provided with the full hash.
MEGA is technically unable to remove similar or matching files based on content.
> And some carriers like T-Mobile just strip every Certificate Pinning header anyway, as they use proxies to compress data.
I question the t-mobile thing, unless they're installing certificates on end-user's phones that should not be possible. This is SSL traffic, remember, all those headers are also sent over SSL so unless T-Mobile is performing MITM, this shouldn't be a problem.
As for the Chrome Turbo mode thing, it is disabled for SSL traffic, as are most of these other things.
Well, admittedly, in the context of a link on Hacker News, it's pretty true. The link containing the seed is trivial to obtain and could easily be reported to the providers who would have to take it down if deemed legally necessary.
The service provider can still decode the info by MitM'ing.
If you are using Google Fiber, for example, your service provider can do whatever they want anyway – they control your browser, they are a CA and they are your ISP.
If not: As we’ve seen with CINNIC, MitM'ing is trivial because CAs give out root certificates far too often, far too easily