A Place of Safety
I expect simple behaviours here. Friendship, and love.
Any advice should be from the perspective of the person asking, not the person giving!
We have had to make new membership moderated to combat the huge number of spammers who register
















You are here: Home > Forum > A Place of Safety > General Talk > SSL and knee jerk reactions
 () 1 Vote
SSL and knee jerk reactions  [message #74637] Wed, 01 August 2018 08:36 Go to next message
timmy

Has no life at all
Location: UK, in Devon
Registered: February 2003
Messages: 13592



SSL, the Secure Socket Layer, was designed and intended to encrypt the traffic between the client [your browser] and the server [the web server].

It is concerned with encryption of real world name and address, details, credit card information, medical data, and similar issues.

It is not concerned with general web traffic.

It does not hide the fact that you have visited a site.

It does not clear your browser history

Anyone concerned about the 'not secure' messages in the address line is falling for univeral paranoia created by those seeking to markert universal SSL for commercial gain.

The content of the web site is out there, in public (though not public domain), for all to see.

Your internet service provider knows you use the internet.  They can track and log all the sites your IP address visits.  The only thing they cannto log during your time online is the actual content of a transaction with an SSL protected page.

Here, you do not entere any sensitive peronal data anywhere unless you choose to. Hence the 'Not Secure' message in the address bar is interesting but unimportant to you. If you use real life details here, that is your choice. That message tells you that you take a risk and you choose the level of risk you take. But you do not need to enter anything here that actually identofies you, and we do not take money from you.

We could add SSL to the entire site. It carries a cost. Lack of SSL may put three visitors off. IT will not put of those who want to read things on the site.

Unless, of course, they fall for Google's extortion racket



Author of Queer Me! Halfway Between Flying and Crying - the true story of life for a gay boy in the Swinging Sixties in a British all male Public School
Re: SSL and knee jerk reactions  [message #74638 is a reply to message #74637] Wed, 01 August 2018 10:24 Go to previous messageGo to next message
timmy

Has no life at all
Location: UK, in Devon
Registered: February 2003
Messages: 13592



But note:
Quote:
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate.




Author of Queer Me! Halfway Between Flying and Crying - the true story of life for a gay boy in the Swinging Sixties in a British all male Public School
Re: SSL and knee jerk reactions  [message #74639 is a reply to message #74637] Wed, 01 August 2018 10:43 Go to previous messageGo to next message
notDave is currently offline  notDave

Getting started

Registered: July 2015
Messages: 7



I'm an IT guy and a web developer. From your description of SSL, you are not :) 

I'm calling you out on attempting to convince people that SSL is universally bad just because it doesn't apply to IOMFATS. Yours is not the only site that your users visit. Some, specifically porn sites (and you can't tell me that your users are so pure that they don't visit porn sites), run malicious code that is blocked by HTTPS.

That malicious code doesn't have to be on the host server, it can be on the ad host's server. The host site owner may not even know that the code in their ads is malicious.

Do YOU know that the next site that a user goes to isn't running bad code?

Do YOU have any control over whether your users are using a public wifi node that's prone to man in the middle attacks? No, you don't.

So please, for the sake of the people here, don't make SSL out to be a scam just because you don't want to install it here.

I understand that IOMFATS is a pretty safe site. I wouldn't be here if it wasn't. And whether or not you use SSL is entirely up to you. I agree with you that Google is predatory. I don't agree that SSL on the whole is bad. And Google is not the only SSL certificate provider - in 25 years in the business, I've never bought an SSL cert from them. I use other providers that are, in my mind, better at it.

But please don't make it out to be a scam. It's not. It protects users from themselves, and it's not your place to attempt to convince them otherwise.
Re: SSL and knee jerk reactions  [message #74640 is a reply to message #74639] Wed, 01 August 2018 19:46 Go to previous messageGo to next message
timmy

Has no life at all
Location: UK, in Devon
Registered: February 2003
Messages: 13592



You need to read what I wrote not your expectation of it



Author of Queer Me! Halfway Between Flying and Crying - the true story of life for a gay boy in the Swinging Sixties in a British all male Public School
Re: SSL and knee jerk reactions  [message #74642 is a reply to message #74639] Wed, 01 August 2018 23:19 Go to previous messageGo to next message
timmy

Has no life at all
Location: UK, in Devon
Registered: February 2003
Messages: 13592



"notDave wrote on Wed, 01 August 2018 11:43"
I'm an IT guy and a web developer. From your description of SSL, you are not :) 

I'm calling you out on attempting to convince people that SSL is universally bad just because it doesn't apply to IOMFATS. Yours is not the only site that your users visit. Some, specifically porn sites (and you can't tell me that your users are so pure that they don't visit porn sites), run malicious code that is blocked by HTTPS.

That malicious code doesn't have to be on the host server, it can be on the ad host's server. The host site owner may not even know that the code in their ads is malicious.

Do YOU know that the next site that a user goes to isn't running bad code?

Do YOU have any control over whether your users are using a public wifi node that's prone to man in the middle attacks? No, you don't.

So please, for the sake of the people here, don't make SSL out to be a scam just because you don't want to install it here.

I understand that IOMFATS is a pretty safe site. I wouldn't be here if it wasn't. And whether or not you use SSL is entirely up to you. I agree with you that Google is predatory. I don't agree that SSL on the whole is bad. And Google is not the only SSL certificate provider - in 25 years in the business, I've never bought an SSL cert from them. I use other providers that are, in my mind, better at it.

But please don't make it out to be a scam. It's not. It protects users from themselves, and it's not your place to attempt to convince them otherwise.

--

I am interested in your statement "Some, specifically porn sites (and you can't tell me that your users are so pure that they don't visit porn sites), run malicious code that is blocked by HTTPS." and I will be very interested to read any reliable sources that describe this blocking of malicious code. Please cite them for us.

Please don't worry about my own background or my skills. I have quite sufficient knowledge, skills, experience, and expertise for all that I do. 

I have not said that SSL is good, nor bad. I suppose I should get used to calling it TLS, but I bet SSL will stick in the mind of the public. I have simply stated what it does and that it is not relevant to us here. I feel very much that Google is missing the point and is running a very foolish scheme to highlight pages that SSL has no value for as Not Secure. Who cares if a story page is Not Secure? We care if a page we give personal details on is insecure. And here we do not have to give real world personal details. Needing every page to have a padlock is paranoia.

[Updated on: Wed, 01 August 2018 23:44]




Author of Queer Me! Halfway Between Flying and Crying - the true story of life for a gay boy in the Swinging Sixties in a British all male Public School
Re: SSL and knee jerk reactions  [message #74645 is a reply to message #74640] Thu, 02 August 2018 00:51 Go to previous messageGo to next message
notDave is currently offline  notDave

Getting started

Registered: July 2015
Messages: 7



I actually did read what you wrote
Re: SSL and knee jerk reactions  [message #74646 is a reply to message #74642] Thu, 02 August 2018 01:58 Go to previous messageGo to next message
notDave is currently offline  notDave

Getting started

Registered: July 2015
Messages: 7



Here's your source. You can see the date on the document - it's from 2015. Implementing SSL worldwide isn't a Google initiative - it's Google following W3C standards. Also, check their pricing. They're not charging for SSL on sites they host and are pushing people to other SSL providers for sites they don't host. That's not the definition of "money grabber".

Here's a simplified explanation of the process for you.

I realize that IOMFATS doesn't "need" an SSL certificate. You don't run ads, you don't run code other than some PHP and some includes. I'm sure you know that your natural Google page rank will decline by not having an SSL certificate, but maybe you don't need page rank either.

My specific issues with your post lie here:

"It is not concerned with general web traffic." Yes, it very much IS concerned with general web traffic. A malicious actor can connect to a wifi access point in a coffee shop and capture all traffic moving across that access point, capturing things like server, operating systems and browser information. If a an actor sees that a user has IE 7 running on their laptop, they've got a target. So, your non-secure site exposed a user with an insecure system to a potential hack. THAT is what SSL encryption for "general" web traffic is designed to prevent. Or, flipping it around, it can see if your web host is running an old version of PHP or mySQL, which are prone to attack by injecting code through the browser (getting your site root password from a php.ini file, for example).

 With an SSL cert on your site, all of that is encrypted and not exposed to a malicious actor.

"Anyone concerned about the 'not secure' messages in the address line is falling for univeral paranoia created by those seeking to markert universal SSL for commercial gain" You just called anyone who's worried about insecure sites and web security naive. No, no we're not. What we ARE is tired of fixing the same goddamn computers over and over again because people don't read what's on their screens, or listen to their IT providers about visiting unsafe sites, installing malware and toolbars and all manner of bullshit. And it seems that the only way that we in the web dev/IT/networking world can protect users is to protect them from themselves, by requiring SSL on as many websites as possible.

"The only thing they cannto log during your time online is the actual content of a transaction with an SSL protected page." This is flat incorrect, bad information. Transactions are encrypted along with ALL of the traffic coming and going between the web page and the server. All of it. Not JUST the transactions. 

If you really want to prove the point, simply go get a network packet sniffer (lots of free ones out there), visit an insecure website with packet capture running, and then do the same with a secure site. You'll be able to interpret the data right in the capture stream (it's all sent in clear text) from the insecure site. You won't be able to see a thing from the secure site.

I appreciate that you don't want or like SSL (which is not the same as TLS - two different methods there). You don't have to. But please keep your dismissive comments about it to yourself. It's important technology that, while it may not apply here, applies in a broad sense everywhere else. To imply to your users that it's all a money-grab is just wrongheaded.
Re: SSL and knee jerk reactions  [message #74647 is a reply to message #74646] Thu, 02 August 2018 04:37 Go to previous messageGo to next message
Bisexual_Guy is currently offline  Bisexual_Guy

Likes it here
Location: USA Midwest
Registered: September 2015
Messages: 131



I make no claim to be a computer expert.

However, I have read (and have no reason to doubt it) that the US government has a backdoor to most, if not all, SSL encryption.  If the government has it, so do many others.

By TLS, are you meaning Transport Layer Security?  Is that the type of encryption the US government became upset with some years back because they did NOT have all the encryption keys?  I know they have been after some companies (Apple, for example) to bend over and provide their own computer code lube so the govenment has easy access to their back door.

I have sometimes not gone to sites which do not have HTTPS in the beginning line of the address.  But as long as my security systems and anti-malware programs are working and updated often, I will go to IOMFAtS.  Both of my Internet Service Providers have built in anti-virus protection included in my service fee, as well.  (Those who do not have that might want to look for an ISP that does, if available in their area.)

What is the difference in security level regarding SSL and TLS?  
Re: SSL and knee jerk reactions  [message #74747 is a reply to message #74639] Sat, 18 August 2018 06:51 Go to previous message
dgt224 is currently offline  dgt224

Toe is in the water
Location: USA
Registered: May 2011
Messages: 81



"notDave wrote on Wed, 01 August 2018 06:43"
.... Yours is not the only site that your users visit. Some, specifically porn sites (and you can't tell me that your users are so pure that they don't visit porn sites), run malicious code that is blocked by HTTPS.

That malicious code doesn't have to be on the host server, it can be on the ad host's server. The host site owner may not even know that the code in their ads is malicious.

Do YOU know that the next site that a user goes to isn't running bad code?
...




--
There's nothing wrong with insisting on a secure (HTTPS) web connection when you care about the authenticity or security of the data exchanged between your browser and the server on the other side. I would never consider sending my login credentials or anything else of significance to my bank, investment broker, credit card issuer, or any of a host of other sites where exposure of that information could be personally damaging over an insecure connection. I would be extremely reluctant to act on personal or financial information accessed through a non-secure web connection. I would certainly never install software of any sort downloaded over an insecure connection. The risk of man-in-the-middle attacks is too significant to take that sort of risk.

With that said, the quoted part of notDave's message is utter nonsense.

What TLS does is guarantee, to a very high probability, that each message transmitted between your browser and the server at the other end of the connection is not readable by anyone listening in and further that no one can intercept and modify any of those messages. The server is required to identify itself with a digital certificate "signed" by an authority known to the browser, so TLS provides guarantees as to both the integrity and privacy of the message exchange and the authenticity of the server, although it is sometimes possible to convince a browser to accept a certificate that hasn't been properly signed. It's a good idea to pay attention if your browser complains about a web site's certificate.

Nothing in that description says anything about what kind of code is transmitted from the server or running on the server. There is no reason that a porn site would have any difficulty obtaining a TLS certificate. Code downloaded from a secure porn site could certainly turn out to be malicious; all TLS buys you is the knowledge that any malicious code came from the porn site's server, or some other server that they got you to use. TLS never looks at the content of the messages it protects; as far as TLS is concerned every message is just an arbitrary string of bytes.

Secure connections do provide extra protection when you're on a public WiFi network, where man-in-the-middle attacks are much easier to perform, and a hijacked HTTP connection could expose an insecure browser (and aren't they all, to one degree or another?) to various attacks when you're trying to visit a site that you trust completely, so HTTPS is generally better than HTTP. But "better" is not the same as "mandatory".

And if you believe that it's safe to run code from any site that you access with an "HTTPS://..." URL, you have misunderstood TLS in a very fundamental way.

[Updated on: Sat, 18 August 2018 06:54]

Previous Topic: Please be patient with service outages
Next Topic: sports kit through the ages
Goto Forum: