• Hail Guest!
    We're looking for Community Content Contribuitors to Stratics. If you would like to write articles, fan fiction, do guild or shard event recaps, it's simple. Find out how in this thread: Community Contributions
  • Greetings Guest, Having Login Issues? Check this thread!
  • Hail Guest!,
    Please take a moment to read this post reminding you all of the importance of Account Security.
  • Hail Guest!
    Please read the new announcement concerning the upcoming addition to Stratics. You can find the announcement Here!

To SSL or not to SSL.. why is this a question!?!?!?

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
First, as a web developer and designer I want to state that yes, I know what SSL is, what it does, and what it is for. I've been building ecommerce and business websites since the mid 90's before SSL was such a huge thing to the general public - back then it was a geek thing. I worked my way from being a graphic designer to a marketing executive and then crossed over into tech and even did consultation work across the north east for businesses regarding their websites - was rather successful too. :)

I've watched an entire industry come-to-be by the overblown rhetoric of businesses selling SSL Certificates. Their scaring of unknowing and naive business owners made a lot of IT people very angry - and that anger has been beaten down into utter apathy because people want to keep their jobs. I've seen people get rich in this business.... and here I'll explain why.

Do a Google Search on just "SSL" and you get this definition:
  1. SSL stands for Secure Sockets Layer. It provides a secure connection between internet browsers and websites, allowing you to transmit private data online. Sites secured with SSL display a padlock in the browsers URL and possibly a green address bar if secured by an EV Certificate.
Ok, that is the actual layer, but what does the certificate do?
  1. SSL Certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.

To understand this more.. you need to know what an EV Certificate is...
  1. An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued.

An SSL CERTIFICATE is only a tiny little text file that identifies a website's owner to the browser. It provides a public key which is used to verify the validity of a website so that data FROM THE WEBSITE to the view is secure - in other words, the website is owned by whomever says they own it and information they are sending you is legitimately FROM that website. o.0 The SSL also allows for the use of port 443 on a web server which, by standards within the internet industry, is a secure port for the transmission of information.

That is all an SSL Certificate does - verify identity and information - it does not provide any other security other than that. It does not encrypt the information you send from your computer to the website. It does not encrypt anything at all but the data from the website to your computer and once the data is decrypted by the programming in your web browsing program it is no longer secure.

Since the use of SSL became big business, varying levels of "security" have been developed by businesses to help raise the price of their services to provide third-party verfication of SSL certificates - these companies are called "Certificate Authorities" or CAs. There is no "standard" for their offers of "security" - and it differs from CA to CA - each CA has their own OPINION of what is secure. Some CAs sell added protection which is why SSL is actually changing to TLS (Transport Layer Security) for no one, and I mean NO ONE, can guarantee security over open internet lines that span the world. Even an EV does not provide security - it only says a company paid for additional levels of identity verification.

It is here I want to tell everyone that the only REAL security you have for your computer from the internet is to UNPLUG IT. Simply put, once you connect a modem or turn on wifi or blutooth, you are connected to a huge network of people you don't know. That is the only plain truth about it. If a bad person really wanted to invest the time and effort, any level of encryption can be broken into - but that is topic of another conversation, eh?

There is a growing concern from the W3C that the lack of standardization has created an element of mis- and dis-information that has caused the general public to believe that ANY SITE that bears the "https://" in its url is safe, secure, and will protect their information from being sniffed, hacked, stolen or otherwise used in ways they do not approve of.

The Word Wide Web Consortium (W3C) is a non-profit, international organization made up of web developers, designers and engineers who are working to help standardize the internet and keep it free and open for everyone to use - read more at http://www.w3.org/Consortium/
It is through their efforts that SSL certificates are being augmented by EV certifications and the new TLS is being developed.

Having SSL on a webiste for security is a fallacy (look at the major hackings at Sony and other companies - they use *gasp* SSL!!!) for after all, a SSL certificate only verifies identity - it doesn't supply real security. And that verification is ONLY AS GOOD AS WHAT A COMPANY PAYS FOR.



Now, for a bit of history. If you don't like history and don't want to know how the interwebs works a bit better, you can tldr the rest and post a response. Keep in mind that if I reply, I will most likely reply in kind - so become better informed and please read on.



Specifically, in 1999 to about 2001 - admins were creating their own little text file on their servers and telling their web-stack (the software that runs their web server) THAT is the SSL certificate. Then, the server admin would set up so https could be used on their site (by accessing the sites via port 443 or 8443 which are the designated ports for https) and people would believe that yes, the owner of the site is legit. So, then web browsers would display and accept that https command and visitors to that website would believe that when they submit their private and payment information, it was being sent to whom they believed should get it. For a long time this practice was the standard and acceptable - the internet was still young and thus we were all niave. Then some not-so-nice people figured they could exploit this and would copy a website and build put their own SSL certificate on it and mislead site visitors that this "doppleganger" was legitimately owned by whomever they were pretending to be.

This was a very popular move by crackers in the early part of the century - particularly duping bank sites and putting fake SSL certs on them, then sending out emails to people to go to THAT site and put in their account information - which was really being fed into a database. All real sneaky stuff, really. This helped to spawn a new industry in the tech & internet world - the Certificate Authorities.

"Hey, I will VERIFY that this site is owned by whomever PAYS me to do so!"
That idea is what spawned VeriSign, Comodo, thawte and many other similar businesses and a new "security industry" for the internet. They used what in marketing we call "scare campaigns", convincing business owners that their customers wouldn't trust the websites they've spent millions on without buying SSL verification services through them! I remember one email I was sent (being listed as the Marketing Director for a company) that, and to quote,
... without having a (company name) SSL certificate on your website, you are telling your customers that you don't care if someone else steals their money...
I have this email saved - it reminds me how crazy the industry was. That particular CA is no longer around, having been bought by a much larger firm which, in turn, was bought out by a even larger corporation.

Now, some of us geeky marketers got a bit ticked off that these companies were going to our bosses and making us look like idiots. In 2003, after years of arguing with my boss, I was forced into buying services from thawte (a South African company) for an ecommerce site I was building. All they did was check the local better business bureau to see if my employer was, indeed, registered to do business in Hawaii. That's it. They didn't check anything else to ensure the business is what it says it is. They didn't check banks, credit card merchant accounts, or even Dun and Bradstreet! All they did was go to the public records to verify that the business is, indeed, operating in Hawaii. Honestly, I was surprised they checked public records here in the US. I fully expected them to only check the very public whois records for the domain. (I will note, thawte has changed their practices since then due to the PCI regulations set forth by the major credit card companies, but that is an altogether different topic).

Well now! I coulda done that for FREE and not have to pay out $800/year for a SINGLE LEVEL SSL! That company sent a text file to me, and told me to stick it on my server. Ahh! The early years!

Ahh.. yes... the all so ambiguous "SSL levels". This sorta developed around 2003 and matured around 2006. However, it is not standardized, so what one company calls "professional level" another company may call "corporate level" and yet a third company calls "enterprise" and then a fourth calls it "resellor" or "partner level". All of these "levels" range in services and costs. For most of the services, the EV Certificate is something you have to pay at least $800/year for.

Some CAs will provide "free SSL service" - all they do is send a text file to your site administrator (if you are not the site administrator) to put on the web server, then that site administrator would have to tell his server administrator to configure the server to allow the site to display via port 443 (which is the internet's standard port for SSL) and then https would be displayed in the url.

Uh... hold on... that is what everyone was doing back around the turn of the century! We all know what happened then.... doppleganger sites and pfishing campaigns by some very bad people.

However, when you use those "free ssl service" from some of these CAs, you also get put on their email list and are constantly inundated with emails to buy "more secure features" for things you may not need. o.0o.0o.0

Stratics did, for a little bit, buy an SSL certificate which provided not only the verification of who we are (owned by Bazaaro Community, Inc.) - but also provided for packet encryption on login only. Meaning, when YOU sent in your login credentials via our site, your login was encrypted to our server, then our server would send the acceptance back to the website also in an encrypted form. After that, your browsing over the forums was done due to your secure login and verification that yes, we are Stratics - for the handshake gets recorded in the site cookie. No further packet encryption was provided.

Now, the SSL itself DOES NOT PROVIDE PACKET ENCRYPTION. This is something many do not understand. SSL is only verification of identity of a site - a public key in a file on a server saying, "this site is owned by blah blah blah" and access via the sites secure port. Packet encryption is provided by the EV Certificate, and this is when you will see the little lock and sometimes a green color to the url bar (depends on your web browser, but the W3C is pushing for this to be an internet standard in the new TLS standards).

And yet, there are varying levels to the EV...
  • packet encryption for logins ONLY. Many CAs consider this "advanced security" and several will not recommend this for sites unless they harvest and store personal information. Some shadier ones will just take your money.
  • packet encryption for carts only from the final transaction page, all other pages are NOT COVERED by the certificate.
  • full packet encryption for any page of site after login (also called wildcard SSL/EV) - these are very expensive certificates that get up into the $1200+ range and yes, most times the certificate details are encrypted as well and are only shared between the CA and your web host. For the most part, YOU never see the certificate file itself, and you are locked out of that portion of your web server by your host.
  • Again, the W3C is pushing for this to be standardized.

So what does this mean for Stratics? First, we must look at the two primary reasons for today's SSL needs: Collection and storage of Personal Information and Ecommerce and Credit Card Transactions...
  • Stratics does not require personal information (phone numbers, postal addresses, social security numbers, etc.) that personally identifies a specific person individually. If a user adds that information, they do so at their own risk and is explained in in our Privacy Policy. We discourage the use of "real names", instead, the use of "nics" is preferred.
  • Stratics does not collect funds directly from site visitors or users. Any and all payments for subscription services are passed through PayPal as they have very secure features they pay for.
If Stratics required the use of our users' personal identities or accepted any sort of payment information directly - or both of those - I'd be screaming for PAID TLS SERVICES and not even deal with simple SSL alone. However, we do not. As such, why should the meager funds generated by the site be used on something we don't need when those funds can be used for hosting and bandwidth costs as well as any possible new features that would be for the betterment of the entire community?

What about other gamer community sites? Particularly some of the largest ones...
  • IGN uses EV on their s.ign.com domain only. After login, users are redirected to the content site where there is no https involved. Account services are directed back to the s.ign.com domain.
  • MMORPG does not use ssl at all, even though they do require various personal information like real name and location and birthdate.
  • Guildlaunch (aka Gamer Launch) does not use ssl at all
  • Enjin (recommended by PCGamer) does not use ssl at all

If Stratics ever gets into such activities where sending encrypted data over the open internet is necessary, I will be all over the bandwagon for getting such services. Right now, Stratics doesn't do that.
 

Angel of Sonoma

Certifiable
Stratics Veteran
Stratics Legend
UNLEASHED
Campaign Supporter
a few years ago i was having issues with my comcast internet service. pages were loading horrendously slow & i accidentally clicked on something not yet loaded which installed a browser hijacker on my pc. one of the things it did was change my IE settings to use their proxy server. would SSL be of any benefit in that scenario?

what saved me from this hijacker was the fact that i had set up my pc with multiple accounts. i was able to switch user and get the instructions to remove the scumware. i also stopped using IE since most of the hackers seem to target its vulnerabilities.
 

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
a few years ago i was having issues with my comcast internet service. pages were loading horrendously slow & i accidentally clicked on something not yet loaded which installed a browser hijacker on my pc. one of the things it did was change my IE settings to use their proxy server. would SSL be of any benefit in that scenario?.
In that specific case, probably not.

SSL is placed on a web server for the website you are visiting. Some websites that do not watch their ad services will sometimes get "bad ads" that will not trigger SSL alerts for those ads are supposedly coming from a secure source (the service itself) and the security of the third party ads are confirmed via javascript and inherently pass on to the display site's SSL (this gets into programming and such - and why ad services make websites pay to use them).

What _should_ have stopped the malware from being installed on your computer would be up to date antivirus software with current profiles - and your system should have given you at least some sort of alert to something new being installed. That is not under the control of the hosting website or under any protection via a website's SSL cert.

Whatever site you were visiting, if they allowed malware to be on their site, an SSL wouldn't stop that - HOWEVER - if the malware installer was ported into the site you were visiting by some third-party service from a different domain other than the one you were visiting (and not configured correctly via javascripts), you could get an SSL warning that some items on the page being displayed are not from the domain that is covered by the SSL. This is why a lot of people block ads, and block javascripts as well.

BUT - some SSL are not configured well, and as such may not have been trigged if a website isn't completely loaded as it is still checking content - and this is probably what happened to you if you were having a hard time to connect and something allowed you to click a loader without the typical SSL warnings from the web-browser - IF you were browsing via https (ie: logged onto the site and if that site had SSL installed and configured right). If you are just generally browsing without being actually logged into a site, for the most part, you will not be "...enjoying the added security of knowing you are on a trusted site..." (quote from an CA).

Some irresponsible web designers who use hotlinking to build their "secure" site will have SSL cert errors as well - most times that warning reads like, "Some content on the page you are viewing is not secure. Are you sure you want to continue?"

Or another warning (used by google) will scare you away by saying something like this:
upload_2015-6-8_3-50-34.png

Which if you ask me STILL is not accurate. That is a "scare tactic" warning and is saying that the website you are visiting might be under attack when, essentially, it is the SSL cert that is not valid so you may not be getting the correct website you think you are going to. :( This message showed up for a friend of mine who missed the SSL renewal date for his wife's bake site and all their customers freaked out thinking their host was under attack. Bad Google!!! Many companies have been complaining about this to Google since they started using this message in February. Google has been trying to make their messages "more understandable" to the public, but stuff like is is, again, only scaring people who then will mistrust the site they intended to visit - be it legit or not.

Remember, SSL only verifies the identity of the website you are visiting and allows traffic to flow through the secure port of the webserver - not your personal computer. If anything, the SSL is more for protection of the webserver and is to instill trust from the website visitor that they, indeed, visiting the correct site on the correct server owned by the people they want to do business with. Of course, that level of security is determined by how much a company has paid.... and you, the browsing public... will almost never know just what that level of security is.

Technically, your connection is never _private_ as you are connecting from your house, sometimes through several hops to your ISP, then your ISP connects via several more hops to other servers, which in turn will then send your packet to the server of the website you are visiting.... but yet, the SSL is ONLY configured for that particular website, not everything in between. When you think about it, you are using the same "line" as.. well.. that creepy guy next door and the very smart script-kiddie who lives across the street.

Don't get me started on wifi.... o.0

I used to sit and watch my ping go from great to dismal right about 6pm - for that is when all the kids on the block would finish their dinners and log onto their Xboxes - and I would hear them all yelling at each other while they ganked people in Halo. Then I'd get great ping around 10pm - when they were all kicked off and told to go to bed. Then, around 11pm... the netflix streaming would start as ppl would stream until they fell asleep and I would consider my gaming time at an end for the night for they'd fall asleep and the same movie would stream until their timers shut everything down - typically around 3am.

How do I know? Well... houses are built close in Hawaii.....
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
An SSL CERTIFICATE is only a tiny little text file that identifies a website's owner to the browser. It provides a public key which is used to verify the validity of a website so that data FROM THE WEBSITE to the view is secure - in other words, the website is owned by whomever says they own it and information they are sending you is legitimately FROM that website. o.0 The SSL also allows for the use of port 443 on a web server which, by standards within the internet industry, is a secure port for the transmission of information.

That is all an SSL Certificate does - verify identity and information - it does not provide any other security other than that. It does not encrypt the information you send from your computer to the website. It does not encrypt anything at all but the data from the website to your computer and once the data is decrypted by the programming in your web browsing program it is no longer secure.
That public key is used to negotiate a symmetric key which in turn is used to encrypt the communications between your browser and the webserver listening on port 443.

You are talking the whole time of authenticiation (telling us the story of the broken web of trust), while I am talking of encryption. Two different security services provided by HTTPS (http over ssl).

The most part of your post just shows me you are on a personal vendetta against the CAs.

If someone gets an fake certificate for stratics issued, thats one thing. I doubt the average Joe on the wifi or your hotel can do that easiely. On the other hand eavesdropping login credentials is very much in their reach.

I'm sorry I dont have to say more to that massive text you typed, but its all built up on that wrong assumption in the quote above. Please go on and tell everybody how bad all the CAs are. After all I am also not here to argue with you people. I made my decisions and can life fine with it. Maybe I should add some paragraphs on how serious I work in IT security business for years too to make the point look more valid lol.

I doubt you ever actually had a network sniffer live on an SSL connection at all..
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
Also the fact that I now realize you opened that post in Spiels'n'Rants makes me almost wanna instantly delete my post above. Gosh I should just join the EMs and the gametime sellers and call it quits on Stratics.
 

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
CAs are getting better considering there are other watchdog organizations working to establish standards to keep the scare tactics out of the scenario. I put this in S&R as this is not related to the game and yes, it will most likely get ranty by you or me or anyone else who cares. I will keep this in ONE PLACE while you find every thread possible to spread the fear.

I just want people to understand the differences and the cause for the confusion. I am not again SSL, just the use of SSL when not necessary for I will not condone the use of an SSL certificate for the false sense of security to the public when it really isn't that secure.

A few EMS have issues with some things - not all EMs. Many of the EMs still post and participate in Stratics.

Gametime Sellers (or anyone who does RMT) are not posting to Stratics for we do not allow RMT over our domain. That has to do with the Broadsword ToS. It is to protect our community.

If you wish to leave Stratics, that is your choice and prerogative, as it is for anyone else.

Now, please keep to the topic at hand.
 
Last edited:

Flutter

Always Present
Alumni
Stratics Veteran
Stratics Legend
Awards
1
Or another warning (used by google) will scare you away by saying something like this:
View attachment 32774

Which if you ask me STILL is not accurate. That is a "scare tactic" warning and is saying that the website you are visiting might be under attack when, essentially, it is the SSL cert that is not valid so you may not be getting the correct website you think you are going to. :( This message showed up for a friend of mine who missed the SSL renewal date for his wife's bake site and all their customers freaked out thinking their host was under attack. Bad Google!!! Many companies have been complaining about this to Google since they started using this message in February. Google has been trying to make their messages "more understandable" to the public, but stuff like is is, again, only scaring people who then will mistrust the site they intended to visit - be it legit or not.
Forgive me I am not "tech-savvy" and am unfamiliar with a LOT of messages I get but this one is pretty clear cut. What gets me is why Google would want to use a "scare tactic" at all. What do they have to gain?
Secondly why is this in SnR? Jesus, I avoided this site for 3 days because I thought after the "down time" that was announced you all were having trouble. I finally sent a message to a friend to ask if you were still having trouble? Shouldn't this be on your most used, therefore most visible forum?

Forgive me for the tldr post but really did anyone read all of that?? Was typing all of that out easier than just renewing an SSL certificate?
*blinks*
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
I tried to raise awareness in UHall, but it only got deleted or locked. Kirthag calls it "spreading fear", while on the hand saying things like "you are never secury when you connect to the internet". I guess there is a bit more in between black and white, but who knows :D At least someone introduced passwords here some time ago. I'm not sure Kirthag would find some rant about password hashes being a devil's advocate as well.

For the user its simple:

- If you care for your passwords, don't ever enter it over an non-https connection from a non-trusted network (hotels, workplace, friends, etc.). Free to go at home, as long as you trust your kids
- If you couldn't care less if someone is taking over your stratics account, login from wherever you feel like (pro-tip: use your admin account for maximum possible damage).

Thats the most basic advice you can give everyone without technical knowledge. It will protect you from basically all low-end and hobby-hackers without big money or other resources. Kirthtag basically calls it pointless, because there is some sophisticated attack surface left, so why even bother securing the other 99% percent.

Sorry I wrote it somewhere else before in a bit better way, but it got deleted and I don't feel like typing it all again.

Regardless what Stratics is trying to tell you: SSL always give you an secured (i.e. encrypted) channel between the browser and the server. You have to explicitely disable all encryption on your server, which cant be done accidentally.

If it wasn't possible to provide https for free, I wouldn't even go that far to communicate the point.
 
Last edited:

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
What I am wanting to get across is the fallacy in your statement: SSL always give you an secured (i.e. encrypted) channel

SSL is NOT the encryption - it is access via the webserver's secure port - that is all. The SSL tells your web browser, "Yes, this is Stratics. Yes, it is owned by Bazaaro Community, Inc. and yes you can see all of our stuff through the super-secret door here numbered 443. Thank you, come again."

THAT IS ALL IT DOES.

Encryption is via the EV Certificate which is not free, very expensive, and something that is not necessary on sites that do not require it for personal indentification and/or ecommerce.
 
Last edited:

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
Forgive me I am not "tech-savvy" and am unfamiliar with a LOT of messages I get but this one is pretty clear cut. What gets me is why Google would want to use a "scare tactic" at all. What do they have to gain?
Google, and other companies, have vested interest in the internet security industry. If there is a way to get people to buy more into security that is really not necessary, of course they make more money.
Firefox's messages are better worded as to the actual issue: "Portions of this website are not secure. Do you wish to continue?" When you look at the certificate info through Firefox, it will tell you that the site itself is okay, but that there is content being displayed that is not covered by the security of that site. Most of the time that would be hot-linked images or poorly coded advertisements.

Secondly why is this in SnR?
Because it really has nothing to do with UO and I just wanna give people a chance at learning more about what makes a site tick. If not interested, don't read. :)

Jesus, I avoided this site for 3 days because I thought after the "down time" that was announced you all were having trouble. I finally sent a message to a friend to ask if you were still having trouble?
Stratics was having trouble? When? :eyes:

Shouldn't this be on your most used, therefore most visible forum?

Forgive me for the tldr post but really did anyone read all of that?? Was typing all of that out easier than just renewing an SSL certificate?
*blinks*
Nah, I started it as a rant post cos, yeah... that is my rant. If anyone else wants to contribute to the conversation, well - go for it. :)
And it wasn't just a "renewing of the SSL" - the cost for what we had was prohibitive and after analysis found to not be necessary so it was cancelled.

On the flip side.. IF we were dealing with personal information, and IF we were doing money transactions - yes - we'd have an SSL at the EV level... but we don't.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Stratics has been around since 1996. It has been around all that time without an SSL. The current owner was offered what he thought was a deal from a slick sales person - then found out it wasn't such a deal. Overall, Stratics had an hi-level SSL cert on its domain (not just the forums) for about 3 months.... seriously now.... why is this a question again??
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
SSL is NOT the encryption - it is access via the webserver's secure port - that is all. The SSL tells your web browser, "Yes, this is Stratics. Yes, it is owned by Bazaaro Community, Inc. and yes you can see all of our stuff through the super-secret door here numbered 443. Thank you, come again."

THAT IS ALL IT DOES.

Encryption is via the EV Certificate which is not free, very expensive, and something that is not necessary on sites that do not require it for personal indentification and/or ecommerce.
Well, I tried to educate you. CAPS WONT MAKE YOU RIGHT :) I guess you won't find a reliable source to cite for your view on SSL. Keep fooling yourself. Bye :)
 

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
I cited my sources in the first post.
:banana::banana::banana::banana::banana:
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
Feels a bit like https://xkcd.com/386/ :D

Not sure why I'm still onto this, but let me ask you some questions then, since you are very experienced with SSL and ecommerce.

When I request a certificate I do so by generating a private/public key pair on my server, then requesting the certificate which basically incorporates the public key, right?

Now when my browser is commanded to open a page on https:// in actually tries to speak HTTPS with the server (regardless of the port, though 443 is very convinient as default port), right?

My browser will then choose a key exchange algorithm (like ECDHE) and a cipher suite (like AES), using the asymmetric channel provided by the means of the public key in the certificate, right? (Hmm lets call this SSL handshake? *doh*)

But there you refuse me. Why is that not possible with non-EV certificates? What has this todo with the encryption part of SSL? As I see your three quoted "sources": The first two explain SSL in very general terms, then the third straight skips many aspects of SSL and directly move on to one single aspect (namely the extended validation / EV), which basically has nothing to do with say the encryption aspect. The part about non-EV certificates providing no encryption seems just made up out of thin air then, or some lack of understanding maybe.



I can only once again advice you to actually check it yourself. Long discussions wont get you anywhere, though you obviously like them. For @Ron Bron I just hope there is other people for tech advice as well. It's weird I'm putting so much effort into that discussion on a gaming forum :D Must be the weekend :cheerleader:
 
Last edited:

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
As you stated, anyone can make a text file on their server, call it an ssl certificate, and then force traffic via https (port 443 or custom 8443). That is the basis of SSL.

For it to be "authentic" SSL, it needs to be provided from a third party service, commonly called Certificate Authority today. This is where I begin to take umbrage. In the 1990's, people used to make their own SSLs, but of course some not so nice people decided to pirate sites and pretend with their own SSLs. You can scour over the web archives for news posts on this - center around 1997 to 2001.

Many hosts worked partnerships with specific CAs, thus fixing the prices on a basic SSL. This is another practice of the industry I disagree with.

The encryption service of CAs are added to the SSL service. All an SSL is is a "pass" through the secure port of a server. That is all it really is. Encryption services for the packets FROM the server are provided with more coding - and this gets into the services of the CA and host together. An SSL can be coded with additional features to provide up to 256bit (and some are working on better encryptions).

Even the service you had suggested we use for free (which, by the by, would not be supported by our host) states a basic SSL does not provide encryption - and if we want that we would have to pay.
TheSSL handshake is basically saying, "Yes, this is xyz.com. Yes, you can venture through the sacred port to access our stuff. Have a nice day." It is used to "provide trust" that the site you are visiting is, indeed, belonging to the people who say they own it.
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
For it to be "authentic" SSL, it needs to be provided from a third party service, commonly called Certificate Authority today. This is where I begin to take umbrage.
The free CA offer certificates which are "authentic". They are recognized by the browser and have root certificates installed. No EV needed in termns of SSL.

The encryption service of CAs are added to the SSL service. All an SSL is is a "pass" through the secure port of a server. That is all it really is. Encryption services for the packets FROM the server are provided with more coding - and this gets into the services of the CA and host together. An SSL can be coded with additional features to provide up to 256bit (and some are working on better encryptions).
This is where you again struggle. Encryption is nothing the CAs are involved with. Please for once take the hour to actually *read* on SSL before replying again.

The SSL handshake takes place for every SSL connection (be it over HTTP by using https, for sending mails over an secure connection with secure SMTP, or virtually every connection based protocol).

The handshake produces a session-key, which is used to encrypt traffic FROM and TO the server.

The things to remember about SSL are:
- every connection is "secure" (considering using a modern cipher suite)
- not every connection is "authentic"
- there is free SSL which is basic "authentic" to all modern browsers (i.e. gets you a simple green lock and no warnings)
- there is expensive SSL which is extended "authentic" due to extended validation efforts while aquiring EV SSL, which is required by certain industry standards

Those are the two corner stones of using SSL:
- "privacy" by encryption and
- "authenticity" by the means of validation through CAs.

TheSSL handshake is basically saying, "Yes, this is xyz.com. Yes, you can venture through the sacred port to access our stuff. Have a nice day." It is used to "provide trust" that the site you are visiting is, indeed, belonging to the people who say they own it.
Please take the time and read: http://www.pierobon.org/ssl/ch2/detail.htm

You are mixing a lot of concepts from https, default ports and SSL. Your "sacred port" has nothing to do with SSL actually, but https and the default port for it (which can be omitted in urls in browsers). The "https://" actually tells the browser to first check you server on port 443, if there is no other port specified in the URL. It also tells your browser to talk HTTPS, which further means etablishing a SSL connection and talking HTTP over it. The SSL connection of course is secured with an session key, like explained in the link above.

The is for the "secure" part of SSL. Have fun thinking your "authentic" part is all SSL is about :)

Even the service you had suggested we use for free (which, by the by, would not be supported by our host) states a basic SSL does not provide encryption - and if we want that we would have to pay.
May I ask where you have read that (please quote it)?

I know a couple of live sites using those certificates + modern cipher suites on production webservers without issues. And as I said multiple times before: CAs have nothing to do with the encryption part. This is purely configured by the webserver and the browser.
 
Last edited:

sibble

Slightly Crazed
Stratics Veteran
Stratics Legend
Heya, what a post! hehe :)

I know a couple of live sites using those certificates + modern cipher suites on production webservers without issues. And as I said multiple times before: CAs have nothing to do with the encryption part. This is purely configured by the webserver and the browser.
This is correct. Recently I had to disable some old ciphers on my web server, was driving me nuts why twitch was ignoring requests from my server.

Probably off topic (didn't read the entire thread, it's a lot...) but during my last troubleshooting adventure I discovered this sweet website:
https://www.howsmyssl.com

Then you can put a php script like this on your server:
https://gist.github.com/harikt/8746633
This basically only tells you how your SSL/TLS client is on your web server. Probably nothing to do with this conversation though...

Just wanted to note that technically you don't have to pay anything to have secure encryption. The only thing you're paying for is for a trusted certificate. You can generate your own certificate and have complete secure encryption, however the little lock on next to the URL in your browser window would have an exclamation mark, noting that the certificate is not from a trusted source. So you're basically just paying to show your visitors that your certificate is from a trusted source. You can generate your own certificates with openssl.
 
Last edited:

sibble

Slightly Crazed
Stratics Veteran
Stratics Legend
OK I read a little bit more of the post :) I noticed money was mentioned, just wanted to get into a quick why what costs what. If you don't want the extra info, be sure to skip to the bottom to get the relative information to this thread :) Being a self-taught everything-web guy, over the past 20 years, I know that there are things that one would think they understand, but be completely wrong - I'm talking about myself.

Semi Off-Topic Information!

From what I gathered, stratics.com is hosted on a shared host environment. A shared hosting environment is like an apartment complex... there's management to help you do things and there are rules and limitations as to what you can and cannot do. This is ideal for people who know how to build a website, but don't fully know how a web server works. BTW there's nothing wrong with that. Apache, for example, is a web server and a buddy of mine makes 200k a year doing nothing but securing Apache installations - it can be pretty complicated. Anywho... with a shared hosting environment, typically you're going to pay whatever extra charges to stretch those rules and limitations that are set by default to all the shared hosts. Installation of a signed certificate from a certificate authority, would be one of those extra charges you'd have to pay your shared host. This is not the price of a signed certificate itself. I'm not sure how much your shared host provider is asking, but you can get a signed certificate from a certificate authority for as low as $50/yr... so that's just the cost of the cert, not the full price that your shared host provider is probably asking.

Besides shared hosting, what else is there and what are the benefits?

Dedicated Server
This would be the most expensive option. Basically, you're paying for a box (physical computer hardware), in a rack, in a cage, in some warehouse that's kept nice a cool and there's security guards walking around + 24/7 surveillance, etc. you get the idea. That box that you're renting is dedicated to one customer - you. You can do anything you want with this box, like install a web server, or update the operating system that it's running, or maybe even change the operating system to a different distro of linux. You pretty much have complete control over this piece of hardware. Most ecommerce websites I've built don't even need a dedi box. So who needs one? People who need more bandwidth, more processing speed, more storage, more control. Dedi boxes run in the range of $100/mo to thousands of dollars a month.

Virtual Private Server
I'm not going to get into virtualization, so I'm not going to go great depth into this... Ever heard of VMWare? How about the ability to run Linux while you're running Windows? That is an example of virtualization. VPS is cloud-computing essentially. You have a dedicated server (a computer) that has been split into many virtualized servers, those are VPSs. "So where's the difference between a shared host and a VPS?" - this is a fair question! What it comes down to is 2 things, control and resource allocation. Typically shared hosts offer unlimited bandwidth where as on a VPS you are allocated a monthly allowance of bandwidth. Those aren't the only differences, but like I said I'm not going into great depth here :) Does the server need to be rebooted? No problemo, hit that digital switch and there she goes. Hey my shared host doesn't have some PHP extensions that my web application requires! Well with a VPS you have complete control to install whatever you want. I pay for a VPS to host several of my websites. So, I'm hosting several websites each on their own domains, I have complete control just like a dedicated server... however I'm paying $2/mo :) (ftpit.com) I had to install Apache, PHP and MySQL myself, as well as make sure it's done securely - don't want my web server getting hacked, right? I'm not paying for any type of management, another reason why this is so cheap.

and here we go!

Who needs SSL and what does it actually protect?

First off, does SSL mean that my website is secure? No! SSL is an added layer of security which encrypts the data sent between a user and the server. It prevents people from listening in on the communication between the user and the server. It does not prevent the server nor the user from being hacked via session-hijacking, cross-site scripting attacks, sql injection, and other forms of attacks. OK so if it just encrypts the data communication between the server and the user, then what type of data should be encrypted? Most obvious answer - credit card information. Passwords can be classified as sensitive data, if they enable access to private data. In our example of stratics.com, where is the private data? I'm on the user end so I wouldn't know, but if you have some sub-forums that are accessed by specific users and contain private data, then that would be an example as to why you would want to use SSL on this site.

Well what about your every-day user that user that browses to your website and wants to login but sees that the URL is HTTP and not HTTPS. They don't know what SSL protects against. If you're worried that you are losing users because of this reason, then that would be another reason to get SSL. You never want to lose visitors, and if your visitors think that they need SSL to login to your website or are asking why you don't have it, sometimes it's best just to give them piece of mind.

Do I think this website needs SSL? Na, but then again I don't know if there is private data that my user account doesn't have access to :)
 
Last edited:

Kirthag

Former Stratics Publisher
Alumni
Stratics Veteran
Stratics Legend
Campaign Benefactor
Stratics had operated without ssl since its inception. When our current owner purchased Stratics, he got some deal for an ssl and used it, but it caused more issues than we expected so it was removed. Our host is one of the leading services in the world and their security is the reason for it. We rely on them for much of what we have by way of security and having an ssl that is not managed by their service is A) very expensive, B) not supported and C) voids the guarantee of security they offer. With their 5x9 rating - it would be foolish to go against their recommendation.
 

petemage

Babbling Loonie
Stratics Veteran
Stratics Legend
UNLEASHED
Well, finally some reasoning. Thx @sibble .

Passwords can be classified as sensitive data, if they enable access to private data. In our example of stratics.com, where is the private data?
Points of intereset might be:
- Admin passwords send in plaintext over the internet (again: Hotels, Conferences, Office, etc.). It only takes one compromised admin account to seriously mess with the whole site. And it only takes one compromised Mod account to exploit a trust-relationship (read: spear fishing)
- The average non tech-savvy user might use simple passwords on multiple sites (Read: You as a site owner can protect them from at least having that exposed in plaintext)
- Users share PMs, which might be considered private. They set personal data on their profiles. But of course you can find somebody saying thats not considered "personal data" in some ISO/whatever sense, so no need to protect it.

However, Kirthag finally told the actual reasons behind this move. There is not enough control over the hosting environment Stratics employs. That's OK and after all not my call.

I just couldn't stand all that plain wrong excuses why SSL, CAs or whatever is not worth it or a big conspiracy.

It does not prevent the server nor the user from being hacked via session-hijacking, cross-site scripting attacks, sql injection, and other forms of attacks. OK so if it just encrypts the data communication between the server and the user
It also prevents man-in-the-middle attacks as long as you don't have unlimited access to an evil CA.

My recommended practice in 2015 is: If you require a login, use SSL. Simple.
 
Last edited:
Top