SSL + your website = ?

Discussion in 'Webmastering & Programming' started by dvsman, May 17, 2018.

  1. dvsman

    dvsman [H]ard|Gawd

    Messages:
    1,873
    Joined:
    Dec 2, 2009
    So I noticed that google chrome is giving me the stink eye about websites I visit that aren't SSL secured lately. Is this really a big deal that I should be concerned about? What about for personal websites / blogs that don't do e-commerce or financial transactions of any kind?

    I wanted to see what my fellow [H]'ers thought about this since google (on Chrome) is pushing the big error messages that say "INSECURE, GOING TO THIS WEBSITE WILL GIVE YOU AIDS" type warnings on sites that aren't SSL certified now.
     
  2. Vashypooh

    Vashypooh 2[H]4U

    Messages:
    2,478
    Joined:
    May 25, 2006
    SSL certs are free.

    Put one on it.

    The warnings are going to get even worse than they are now. The ultimate plan will likely result in the website having a giant red warning bar as well.
     
  3. ChristianVirtual

    ChristianVirtual [H]ard DCOTM Mar 2016,Aug 2017

    Messages:
    2,414
    Joined:
    Feb 23, 2013
  4. Mr. Baz

    Mr. Baz 2[H]4U

    Messages:
    2,796
    Joined:
    Aug 17, 2001
    There is way more to SSL than just "Put one on it."
    Any person or company that doesn't bother with SSL certs isn't worth my time or effort. SSL certs are for so much more than just websites you perform monetary transactions on or enter sensitive data.

    For testing our browser and servers:
    https://www.ssllabs.com/

    An SSL cert can be just as useless as no cert if the server is not configured correctly.
    Hardforum.com gets an A+, which is fantastic -- even though they still have TLS 1.0 enabled.
     
    FNtastic and modi123 like this.
  5. Spidey329

    Spidey329 [H]ardForum Junkie

    Messages:
    8,798
    Joined:
    Dec 15, 2003
    Chrome is transitioning to http = bad. All sites without a valid cert will be flagged and the user warned. I think they plan to flag self-signed certs as well.

    It sucks for sites that don't do any type of form data, like old informational archives. It implies the site isn't safe, so random Joe Blow will transition away.

    It also creates a false sense of security, as people think certs = safety. So they see a green bar and assume they're safe, not realizing that it's a valid cert, but the site is a counterfeit page.
     
  6. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,964
    Joined:
    Nov 16, 2009

    This should have been done long ago. It's not just to protect transactions, but also snooping from ISPs and manipulation of the data in transit. So technically your site isn't safe as all data is sent as clear text over HTTP.

    Certs that have not been created/signed by a trusted Root Authority have always been flagged by the browser. A self signed cert is the equivalent of a site saying you can trust me because I am who I say I am.

    And you cannot have a valid cert on an invalid page unless you failed to protect your private SSL key, and someone else gained access to that. That is a failure of the sites security, not of the SSL mechanism. That would be like leaving your house key under your mat, then complaining that the locks are shitty because someone accessed your house.
     
  7. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,265
    Joined:
    Nov 4, 2005
    are you sure re: the self-signed certs, too? do you have a source you can post about that? would be nice to provide for some people that would like us to spend a lot of time and resources on an SSL inspection project...

    seems like SSL inspection may just get more and more difficult if what you're saying is true...
     
  8. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,667
    Joined:
    May 14, 2008
    Part of it is to help prevent sites from masquerading as the site you want to visit. Mainly this is to help cut down on people going to malicious sites and getting infected. It is only one part of the security onion, but an essential part that could help a lot of people, especially those that don't pay attention to what they click.
     
  9. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,914
    Joined:
    Mar 31, 2001
    I don't think SSL does this at all. There are TONS of paypal look alite sites with lets encrypt certs for fishing...
     
  10. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,667
    Joined:
    May 14, 2008
    But then you are agreeing to use a self-signed or unverified cert for the site...
     
  11. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,914
    Joined:
    Mar 31, 2001
    SSL tries to be something that encrypts a channel & validates who a remote party is.

    On goal 1, this works most of the time (yeah some sites still use SSL3...). On goal 2, this works some of the time, as phishing certs/typo certs/etc are never pulled/revoked from what I've seen. SSL is "better" but doesn't really guarantee anything unless you have the technical chops to look at & understand the certificate which 99.999% of people aren't able to do.
     
  12. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,667
    Joined:
    May 14, 2008
    I never claimed SSL was perfect. He asked why Google was complaining, I answered why Google was complaining.

    I am also not sure what you mean by pulled or revoked? Are you saying that the root cert organizations do not remove/revoke a phishing site's cert? They definitely are. How well revocation works is another issue.
     
    Last edited: Aug 7, 2018
  13. /dev/null

    /dev/null [H]ardForum Junkie

    Messages:
    13,914
    Joined:
    Mar 31, 2001
    Let's Encrypt at one point had 14k+ paypal fishing site certs. They refused to revoke them.
     
  14. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,667
    Joined:
    May 14, 2008
    Okay, but that isn't the sum total of all CAs... Your comment was that they were never revoked. That isn't true.
     
  15. ZeqOBpf6

    ZeqOBpf6 Limp Gawd

    Messages:
    452
    Joined:
    Aug 24, 2014
    Is there much value to https for a site where a user can do nothing but read? If I'm just reading some blog/website about something new, and there's no way for me to log in or input any info at all, what risk is there that https mitigates?
     
  16. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,667
    Joined:
    May 14, 2008
    That is more for the validity of the site itself. Again, its supposed to be a way you know you are at the right site and are actually reading real content from that site. If it was just an http site, anyone could spoof traffic to from that site and misdirect you with no real effort.
     
    ZeqOBpf6 likes this.
  17. ZeqOBpf6

    ZeqOBpf6 Limp Gawd

    Messages:
    452
    Joined:
    Aug 24, 2014
    Fair enough. Thank you.
     
  18. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    10,265
    Joined:
    Nov 4, 2005
    Ssl doesn't validate who a remote party is, control of DNS does... There are some add-ons to a lot of services CAs offer that try to do this, but it's always a joke