amuck-landowner

When should you use SSL?

Servers4You

Member
Verified Provider
SSL is a must in any web browser now, whether that be a CloudFlare Free SSL or your own EV Certificate. It shows trust that you are protecting your visitors/customers data, however they interact with your website. As of 2017, Chrome have also implemented higher CEO results in search engines as well as the browser showing a grey "i" icon showing it is not a secure connection. Even a basic Comodo PositiveSSL Certificate costs barely anything per year ($7/yr) or Geotrust RapidSSL Certificate ($13/yr) - it won't break the bank - yet brings out the trust in a website,


@MannDude, @HalfEatenPie &@MartinD you might want to consider getting SSL for VPS Board as your SSL Certificate expired on the 5th of this month... Contact me if you need one - can give you a free PositiveSSL or RapidSSL if you need one...
 
Last edited by a moderator:

maounique

Active Member
I am kinda biased against ssl for a while.
1. I think the CA system is broken fundamentally, however, there are attempts to patch it up lately, but I dont see that solving any serious issue, is like patching windows, it kinda works, even enough that banks and governments use it, however things get grimmer by the day and it will eventually implode;
2. When I see an online forum where people exchange ideas for free under an alias without being asked for personal details and it is not working due to some SSL problem in a browser or another because the admins insist on sanctimonious ssl-only approaches while having no actual clue on how that works and why it would be needed on such a platform, I keep thinking about the trade-offs between security and functionality. If you want privacy, SSL wont protect you, you use a VPN and it is better encrypted and more out of reach of bad actors than any SSL-based system will ever be.
If you are worried your password will leak due to MITM attacks and this will cause you serious injury, you are not using the right authentication system, consider 2-ways ones.
 

graeme

Active Member
I agree the CA system is messy. I do not think it will implode though - what is going to replace it? It would have been nice to have something that works more like ssh does (setup first time you connect, warn of changes), possibly supplemented by direct distribution of some sort of key for really important sites.
 

maounique

Active Member
I do not think it will implode though - what is going to replace it?

1. I think it is used for too many things which may need different approaches. For example, a central authority to sign certificates for various software updates from various vendors is not necessary, they can issue own certificate, user can accept it and install by default with the app itself. There are many such scenarios where the scale is more pgp-like than ssl-like, I think the question "what do we try to achieve here, security-wise?" is not asked seriously enough when a system is designed. "This is how it is done" is the answer by default in too many places. It takes the burden of thinking out of the box from you, but it also means potentially great ideas do not pop up, let alone make it into the mainstream.
2. Nobody and nothing is irreplaceable. The cemeteries are full of irreplaceable people, how can we seriously think a flawed security model cannot be replaced? There are attempts with blockchain and other technologies derived, quantum keys embedded in light and other preposterous stuff for many, but if we do not try, it will never happen. Before Tesla (both the man and the company) many people said "it will never happen". Some still say that... Both Musk and Jobs used existing technologies in a different way, combined, beautified, made appealing... The result is a revolution in progress, even tho they did not actually invent much.
3. I say this for a long time, we have the technology, the will and the tools to build a "layer 8" internet, entirely encrypted, floating filesystems, even VMs, a virtual home for everyone, powered by the shared resources of many, bits and pieces of traffic, storage and cpu, completely anonymous, uncrackable without actual police work (infiltration, social engineering, undercover agents, etc). As that is done for one purpose, the same "Layer 8" can be used for the complete opposite, absolute identification and message signing over a completely encrypted p2p connection.
Absolutely everything needed is out there (sure, not specifically designed for this, but trivially simple to adapt), need the organizing to make it happen in spite of Big Corporations, Cults and their minions, the nation states.
 
Last edited:

Geek

Technolojesus
Verified Provider
While Google does slightly favor the presence of TLS, it's a very small piece of the ranking pie.
Every now and then when I Google something specific, I'll look for encryption in the URL. Most times I see a pretty steady mix of both HTTP/HTTPS in the results.

Assuming you're following Google's butthurtedness over Symantec's vetting of OV certs, you know that Google will begin to distrust all Symantec's roots (incl., Rapidssl/GeoTrust/Thawte brands). Going forward next year all Symantec certs will be cross-signed by DigiCert. Below, a timeline for Chrome. FF will follow suit.


 
Top
amuck-landowner