First, as a web developer and designer I want to state that yes, I know what SSL is, what it does, and what it is for. I've been building ecommerce and business websites since the mid 90's before SSL was such a huge thing to the general public - back then it was a geek thing. I worked my way from being a graphic designer to a marketing executive and then crossed over into tech and even did consultation work across the north east for businesses regarding their websites - was rather successful too. 
I've watched an entire industry come-to-be by the overblown rhetoric of businesses selling SSL Certificates. Their scaring of unknowing and naive business owners made a lot of IT people very angry - and that anger has been beaten down into utter apathy because people want to keep their jobs. I've seen people get rich in this business.... and here I'll explain why.
Do a Google Search on just "SSL" and you get this definition:
To understand this more.. you need to know what an EV Certificate is...
An SSL CERTIFICATE is only a tiny little text file that identifies a website's owner to the browser. It provides a public key which is used to verify the validity of a website so that data FROM THE WEBSITE to the view is secure - in other words, the website is owned by whomever says they own it and information they are sending you is legitimately FROM that website.
The SSL also allows for the use of port 443 on a web server which, by standards within the internet industry, is a secure port for the transmission of information.
That is all an SSL Certificate does - verify identity and information - it does not provide any other security other than that. It does not encrypt the information you send from your computer to the website. It does not encrypt anything at all but the data from the website to your computer and once the data is decrypted by the programming in your web browsing program it is no longer secure.
Since the use of SSL became big business, varying levels of "security" have been developed by businesses to help raise the price of their services to provide third-party verfication of SSL certificates - these companies are called "Certificate Authorities" or CAs. There is no "standard" for their offers of "security" - and it differs from CA to CA - each CA has their own OPINION of what is secure. Some CAs sell added protection which is why SSL is actually changing to TLS (Transport Layer Security) for no one, and I mean NO ONE, can guarantee security over open internet lines that span the world. Even an EV does not provide security - it only says a company paid for additional levels of identity verification.
There is a growing concern from the W3C that the lack of standardization has created an element of mis- and dis-information that has caused the general public to believe that ANY SITE that bears the "https://" in its url is safe, secure, and will protect their information from being sniffed, hacked, stolen or otherwise used in ways they do not approve of.
Having SSL on a webiste for security is a fallacy (look at the major hackings at Sony and other companies - they use *gasp* SSL!!!) for after all, a SSL certificate only verifies identity - it doesn't supply real security. And that verification is ONLY AS GOOD AS WHAT A COMPANY PAYS FOR.
Now, for a bit of history. If you don't like history and don't want to know how the interwebs works a bit better, you can tldr the rest and post a response. Keep in mind that if I reply, I will most likely reply in kind - so become better informed and please read on.
Specifically, in 1999 to about 2001 - admins were creating their own little text file on their servers and telling their web-stack (the software that runs their web server) THAT is the SSL certificate. Then, the server admin would set up so https could be used on their site (by accessing the sites via port 443 or 8443 which are the designated ports for https) and people would believe that yes, the owner of the site is legit. So, then web browsers would display and accept that https command and visitors to that website would believe that when they submit their private and payment information, it was being sent to whom they believed should get it. For a long time this practice was the standard and acceptable - the internet was still young and thus we were all niave. Then some not-so-nice people figured they could exploit this and would copy a website and build put their own SSL certificate on it and mislead site visitors that this "doppleganger" was legitimately owned by whomever they were pretending to be.
This was a very popular move by crackers in the early part of the century - particularly duping bank sites and putting fake SSL certs on them, then sending out emails to people to go to THAT site and put in their account information - which was really being fed into a database. All real sneaky stuff, really. This helped to spawn a new industry in the tech & internet world - the Certificate Authorities.
"Hey, I will VERIFY that this site is owned by whomever PAYS me to do so!"
That idea is what spawned VeriSign, Comodo, thawte and many other similar businesses and a new "security industry" for the internet. They used what in marketing we call "scare campaigns", convincing business owners that their customers wouldn't trust the websites they've spent millions on without buying SSL verification services through them! I remember one email I was sent (being listed as the Marketing Director for a company) that, and to quote,
Now, some of us geeky marketers got a bit ticked off that these companies were going to our bosses and making us look like idiots. In 2003, after years of arguing with my boss, I was forced into buying services from thawte (a South African company) for an ecommerce site I was building. All they did was check the local better business bureau to see if my employer was, indeed, registered to do business in Hawaii. That's it. They didn't check anything else to ensure the business is what it says it is. They didn't check banks, credit card merchant accounts, or even Dun and Bradstreet! All they did was go to the public records to verify that the business is, indeed, operating in Hawaii. Honestly, I was surprised they checked public records here in the US. I fully expected them to only check the very public whois records for the domain. (I will note, thawte has changed their practices since then due to the PCI regulations set forth by the major credit card companies, but that is an altogether different topic).
Well now! I coulda done that for FREE and not have to pay out $800/year for a SINGLE LEVEL SSL! That company sent a text file to me, and told me to stick it on my server. Ahh! The early years!
Ahh.. yes... the all so ambiguous "SSL levels". This sorta developed around 2003 and matured around 2006. However, it is not standardized, so what one company calls "professional level" another company may call "corporate level" and yet a third company calls "enterprise" and then a fourth calls it "resellor" or "partner level". All of these "levels" range in services and costs. For most of the services, the EV Certificate is something you have to pay at least $800/year for.
Some CAs will provide "free SSL service" - all they do is send a text file to your site administrator (if you are not the site administrator) to put on the web server, then that site administrator would have to tell his server administrator to configure the server to allow the site to display via port 443 (which is the internet's standard port for SSL) and then https would be displayed in the url.
Uh... hold on... that is what everyone was doing back around the turn of the century! We all know what happened then.... doppleganger sites and pfishing campaigns by some very bad people.
However, when you use those "free ssl service" from some of these CAs, you also get put on their email list and are constantly inundated with emails to buy "more secure features" for things you may not need.
Stratics did, for a little bit, buy an SSL certificate which provided not only the verification of who we are (owned by Bazaaro Community, Inc.) - but also provided for packet encryption on login only. Meaning, when YOU sent in your login credentials via our site, your login was encrypted to our server, then our server would send the acceptance back to the website also in an encrypted form. After that, your browsing over the forums was done due to your secure login and verification that yes, we are Stratics - for the handshake gets recorded in the site cookie. No further packet encryption was provided.
Now, the SSL itself DOES NOT PROVIDE PACKET ENCRYPTION. This is something many do not understand. SSL is only verification of identity of a site - a public key in a file on a server saying, "this site is owned by blah blah blah" and access via the sites secure port. Packet encryption is provided by the EV Certificate, and this is when you will see the little lock and sometimes a green color to the url bar (depends on your web browser, but the W3C is pushing for this to be an internet standard in the new TLS standards).
And yet, there are varying levels to the EV...
So what does this mean for Stratics? First, we must look at the two primary reasons for today's SSL needs: Collection and storage of Personal Information and Ecommerce and Credit Card Transactions...
What about other gamer community sites? Particularly some of the largest ones...
If Stratics ever gets into such activities where sending encrypted data over the open internet is necessary, I will be all over the bandwagon for getting such services. Right now, Stratics doesn't do that.
I've watched an entire industry come-to-be by the overblown rhetoric of businesses selling SSL Certificates. Their scaring of unknowing and naive business owners made a lot of IT people very angry - and that anger has been beaten down into utter apathy because people want to keep their jobs. I've seen people get rich in this business.... and here I'll explain why.
Do a Google Search on just "SSL" and you get this definition:
To understand this more.. you need to know what an EV Certificate is...
An SSL CERTIFICATE is only a tiny little text file that identifies a website's owner to the browser. It provides a public key which is used to verify the validity of a website so that data FROM THE WEBSITE to the view is secure - in other words, the website is owned by whomever says they own it and information they are sending you is legitimately FROM that website.
The SSL also allows for the use of port 443 on a web server which, by standards within the internet industry, is a secure port for the transmission of information.That is all an SSL Certificate does - verify identity and information - it does not provide any other security other than that. It does not encrypt the information you send from your computer to the website. It does not encrypt anything at all but the data from the website to your computer and once the data is decrypted by the programming in your web browsing program it is no longer secure.
Since the use of SSL became big business, varying levels of "security" have been developed by businesses to help raise the price of their services to provide third-party verfication of SSL certificates - these companies are called "Certificate Authorities" or CAs. There is no "standard" for their offers of "security" - and it differs from CA to CA - each CA has their own OPINION of what is secure. Some CAs sell added protection which is why SSL is actually changing to TLS (Transport Layer Security) for no one, and I mean NO ONE, can guarantee security over open internet lines that span the world. Even an EV does not provide security - it only says a company paid for additional levels of identity verification.
It is here I want to tell everyone that the only REAL security you have for your computer from the internet is to UNPLUG IT. Simply put, once you connect a modem or turn on wifi or blutooth, you are connected to a huge network of people you don't know. That is the only plain truth about it. If a bad person really wanted to invest the time and effort, any level of encryption can be broken into - but that is topic of another conversation, eh?
There is a growing concern from the W3C that the lack of standardization has created an element of mis- and dis-information that has caused the general public to believe that ANY SITE that bears the "https://" in its url is safe, secure, and will protect their information from being sniffed, hacked, stolen or otherwise used in ways they do not approve of.
The Word Wide Web Consortium (W3C) is a non-profit, international organization made up of web developers, designers and engineers who are working to help standardize the internet and keep it free and open for everyone to use - read more at http://www.w3.org/Consortium/
It is through their efforts that SSL certificates are being augmented by EV certifications and the new TLS is being developed.
It is through their efforts that SSL certificates are being augmented by EV certifications and the new TLS is being developed.
Having SSL on a webiste for security is a fallacy (look at the major hackings at Sony and other companies - they use *gasp* SSL!!!) for after all, a SSL certificate only verifies identity - it doesn't supply real security. And that verification is ONLY AS GOOD AS WHAT A COMPANY PAYS FOR.
Now, for a bit of history. If you don't like history and don't want to know how the interwebs works a bit better, you can tldr the rest and post a response. Keep in mind that if I reply, I will most likely reply in kind - so become better informed and please read on.
Specifically, in 1999 to about 2001 - admins were creating their own little text file on their servers and telling their web-stack (the software that runs their web server) THAT is the SSL certificate. Then, the server admin would set up so https could be used on their site (by accessing the sites via port 443 or 8443 which are the designated ports for https) and people would believe that yes, the owner of the site is legit. So, then web browsers would display and accept that https command and visitors to that website would believe that when they submit their private and payment information, it was being sent to whom they believed should get it. For a long time this practice was the standard and acceptable - the internet was still young and thus we were all niave. Then some not-so-nice people figured they could exploit this and would copy a website and build put their own SSL certificate on it and mislead site visitors that this "doppleganger" was legitimately owned by whomever they were pretending to be.
This was a very popular move by crackers in the early part of the century - particularly duping bank sites and putting fake SSL certs on them, then sending out emails to people to go to THAT site and put in their account information - which was really being fed into a database. All real sneaky stuff, really. This helped to spawn a new industry in the tech & internet world - the Certificate Authorities.
"Hey, I will VERIFY that this site is owned by whomever PAYS me to do so!"
That idea is what spawned VeriSign, Comodo, thawte and many other similar businesses and a new "security industry" for the internet. They used what in marketing we call "scare campaigns", convincing business owners that their customers wouldn't trust the websites they've spent millions on without buying SSL verification services through them! I remember one email I was sent (being listed as the Marketing Director for a company) that, and to quote,
I have this email saved - it reminds me how crazy the industry was. That particular CA is no longer around, having been bought by a much larger firm which, in turn, was bought out by a even larger corporation.
Now, some of us geeky marketers got a bit ticked off that these companies were going to our bosses and making us look like idiots. In 2003, after years of arguing with my boss, I was forced into buying services from thawte (a South African company) for an ecommerce site I was building. All they did was check the local better business bureau to see if my employer was, indeed, registered to do business in Hawaii. That's it. They didn't check anything else to ensure the business is what it says it is. They didn't check banks, credit card merchant accounts, or even Dun and Bradstreet! All they did was go to the public records to verify that the business is, indeed, operating in Hawaii. Honestly, I was surprised they checked public records here in the US. I fully expected them to only check the very public whois records for the domain. (I will note, thawte has changed their practices since then due to the PCI regulations set forth by the major credit card companies, but that is an altogether different topic).
Well now! I coulda done that for FREE and not have to pay out $800/year for a SINGLE LEVEL SSL! That company sent a text file to me, and told me to stick it on my server. Ahh! The early years!
Ahh.. yes... the all so ambiguous "SSL levels". This sorta developed around 2003 and matured around 2006. However, it is not standardized, so what one company calls "professional level" another company may call "corporate level" and yet a third company calls "enterprise" and then a fourth calls it "resellor" or "partner level". All of these "levels" range in services and costs. For most of the services, the EV Certificate is something you have to pay at least $800/year for.
Some CAs will provide "free SSL service" - all they do is send a text file to your site administrator (if you are not the site administrator) to put on the web server, then that site administrator would have to tell his server administrator to configure the server to allow the site to display via port 443 (which is the internet's standard port for SSL) and then https would be displayed in the url.
Uh... hold on... that is what everyone was doing back around the turn of the century! We all know what happened then.... doppleganger sites and pfishing campaigns by some very bad people.
However, when you use those "free ssl service" from some of these CAs, you also get put on their email list and are constantly inundated with emails to buy "more secure features" for things you may not need.
Stratics did, for a little bit, buy an SSL certificate which provided not only the verification of who we are (owned by Bazaaro Community, Inc.) - but also provided for packet encryption on login only. Meaning, when YOU sent in your login credentials via our site, your login was encrypted to our server, then our server would send the acceptance back to the website also in an encrypted form. After that, your browsing over the forums was done due to your secure login and verification that yes, we are Stratics - for the handshake gets recorded in the site cookie. No further packet encryption was provided.
Now, the SSL itself DOES NOT PROVIDE PACKET ENCRYPTION. This is something many do not understand. SSL is only verification of identity of a site - a public key in a file on a server saying, "this site is owned by blah blah blah" and access via the sites secure port. Packet encryption is provided by the EV Certificate, and this is when you will see the little lock and sometimes a green color to the url bar (depends on your web browser, but the W3C is pushing for this to be an internet standard in the new TLS standards).
And yet, there are varying levels to the EV...
- packet encryption for logins ONLY. Many CAs consider this "advanced security" and several will not recommend this for sites unless they harvest and store personal information. Some shadier ones will just take your money.
- packet encryption for carts only from the final transaction page, all other pages are NOT COVERED by the certificate.
- full packet encryption for any page of site after login (also called wildcard SSL/EV) - these are very expensive certificates that get up into the $1200+ range and yes, most times the certificate details are encrypted as well and are only shared between the CA and your web host. For the most part, YOU never see the certificate file itself, and you are locked out of that portion of your web server by your host.
- Again, the W3C is pushing for this to be standardized.
So what does this mean for Stratics? First, we must look at the two primary reasons for today's SSL needs: Collection and storage of Personal Information and Ecommerce and Credit Card Transactions...
- Stratics does not require personal information (phone numbers, postal addresses, social security numbers, etc.) that personally identifies a specific person individually. If a user adds that information, they do so at their own risk and is explained in in our Privacy Policy. We discourage the use of "real names", instead, the use of "nics" is preferred.
- Stratics does not collect funds directly from site visitors or users. Any and all payments for subscription services are passed through PayPal as they have very secure features they pay for.
What about other gamer community sites? Particularly some of the largest ones...
- IGN uses EV on their s.ign.com domain only. After login, users are redirected to the content site where there is no https involved. Account services are directed back to the s.ign.com domain.
- MMORPG does not use ssl at all, even though they do require various personal information like real name and location and birthdate.
- Guildlaunch (aka Gamer Launch) does not use ssl at all
- Enjin (recommended by PCGamer) does not use ssl at all
If Stratics ever gets into such activities where sending encrypted data over the open internet is necessary, I will be all over the bandwagon for getting such services. Right now, Stratics doesn't do that.
