SSL + your website = ?

Discussion in 'Webmastering & Programming' started by dvsman, May 17, 2018.

  1. dvsman

    dvsman [H]ard|Gawd

    Dec 2, 2009
    So I noticed that google chrome is giving me the stink eye about websites I visit that aren't SSL secured lately. Is this really a big deal that I should be concerned about? What about for personal websites / blogs that don't do e-commerce or financial transactions of any kind?

    I wanted to see what my fellow [H]'ers thought about this since google (on Chrome) is pushing the big error messages that say "INSECURE, GOING TO THIS WEBSITE WILL GIVE YOU AIDS" type warnings on sites that aren't SSL certified now.
  2. Vashypooh

    Vashypooh 2[H]4U

    May 25, 2006
    SSL certs are free.

    Put one on it.

    The warnings are going to get even worse than they are now. The ultimate plan will likely result in the website having a giant red warning bar as well.
  3. ChristianVirtual

    ChristianVirtual [H]ard DCOTM Mar 2016,Aug 2017

    Feb 23, 2013
  4. Mr. Baz

    Mr. Baz 2[H]4U

    Aug 17, 2001
    There is way more to SSL than just "Put one on it."
    Any person or company that doesn't bother with SSL certs isn't worth my time or effort. SSL certs are for so much more than just websites you perform monetary transactions on or enter sensitive data.

    For testing our browser and servers:

    An SSL cert can be just as useless as no cert if the server is not configured correctly. gets an A+, which is fantastic -- even though they still have TLS 1.0 enabled.
    modi123 likes this.
  5. Spidey329

    Spidey329 [H]ardForum Junkie

    Dec 15, 2003
    Chrome is transitioning to http = bad. All sites without a valid cert will be flagged and the user warned. I think they plan to flag self-signed certs as well.

    It sucks for sites that don't do any type of form data, like old informational archives. It implies the site isn't safe, so random Joe Blow will transition away.

    It also creates a false sense of security, as people think certs = safety. So they see a green bar and assume they're safe, not realizing that it's a valid cert, but the site is a counterfeit page.
  6. Biznatch

    Biznatch [H]ard|Gawd

    Nov 16, 2009

    This should have been done long ago. It's not just to protect transactions, but also snooping from ISPs and manipulation of the data in transit. So technically your site isn't safe as all data is sent as clear text over HTTP.

    Certs that have not been created/signed by a trusted Root Authority have always been flagged by the browser. A self signed cert is the equivalent of a site saying you can trust me because I am who I say I am.

    And you cannot have a valid cert on an invalid page unless you failed to protect your private SSL key, and someone else gained access to that. That is a failure of the sites security, not of the SSL mechanism. That would be like leaving your house key under your mat, then complaining that the locks are shitty because someone accessed your house.
  7. goodcooper

    goodcooper [H]ardForum Junkie

    Nov 4, 2005
    are you sure re: the self-signed certs, too? do you have a source you can post about that? would be nice to provide for some people that would like us to spend a lot of time and resources on an SSL inspection project...

    seems like SSL inspection may just get more and more difficult if what you're saying is true...
  8. NoOther

    NoOther [H]ardness Supreme

    May 14, 2008
    Part of it is to help prevent sites from masquerading as the site you want to visit. Mainly this is to help cut down on people going to malicious sites and getting infected. It is only one part of the security onion, but an essential part that could help a lot of people, especially those that don't pay attention to what they click.