0

Everything you know about HTTPS is wrong.

Posted by danblog on September 17, 2007 in General stuff, Ranting, Reviews, Web Hosting |

Ok i warn readers now this will be slightly a rant, but hopefully will also act as a warning.

Firstly i would like to explain a bit about HTTPS and to try and clear up some misunderstandings a lot of people seem to have about it.

HTTPS:// which stands for Hyper-Text Transfer Protocol Secure, which is a secure connection between you and the server. HTTPS is NOT a protocol in it’s self. HTTPS is exactly the same as HTTP except it has a extra layer of “security” called SSL (Secure Sockets Layer). When comparing HTTP and HTTPS the only “physical” difference is HTTPS uses a different TCP port (usually 443) where as HTTP uses 80 (or 8080 depending on server set up).

SSL was developed by Netscape for you guessed it sending files and information via the web without nosy neighbors peeking. SSL uses a cryptographic key system. This system uses two keys which encrypt the data being sent, the first being the public key which surprisingly is known to every Tom, Chris and Rumpelstiltskin and then we have the Private key known only to the intended recipient of the data.

I have come acros quite a few people now who assume that because a web-page has “Secure” it means they information, often full credit card details, are secure for the short journey across cyber-space and the comfy stay in a little server on the side of the planet. However often what most do not understand is this is not the case, yes the information can not be easily sniffed or taped on its connection between you and the server, but it does not secure its safety when it reaches the server OR how the webmaster as well as every one who has access to the server (which is often a lot) do with that information.

Just because a server uses SSL (which any body with a website and a spare £15 ($30)ish can obtain, without any security checks for the website i might add, doesn’t mean the server can’t be hacked or even already hacked.

Dodgy webmaster, not only do you have to worry about your personal information being sniffed or viewed on transfer, while it’s sitting on the web server and hackers seeing it, But what about the actual website Administrator? what is he suddenly thinks hey, i have a database full of all the transaction details  i have sold naff to over the net…

Getting security certificates validated by browsers.

Now virtually all modern browsers are both SSL capable and show some type of alert if the incoming SSL certificate  is self signed or invalid.

I would like to make this perfectly clear, ANY webmaster can set up a secure connection for his/her website(s) and it will have EXACTLY THE SAME level of security as a certificate signed by a authority, the only difference being that many browsers have been told by the amazingly outrages persons who run these “cert authorities” that your site is OK!

Other wise your browser experience is hindered by warnings (especially with Internet explorer 7 who refuses to show the page unless you accept)

I hope this has been at least informative to some, i think its probably one of my more readable posts so far!

 Dan – Happy surfing 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2007-2018 Dan's Tech Blog All rights reserved.
This site is using the Desk Mess Mirrored theme, v2.5, from BuyNowShop.com.