Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


My Site CheapHTTPS.info (not selling anything!)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My Site CheapHTTPS.info (not selling anything!)

DStroutDStrout Member
edited February 2013 in General

I recently put together a site called CheapHTTPS.info, detailing how cheap HTTPS has gotten and how little it means as a way of telling if a site is truly "secure". I'd be interested in opinions on the content, as well as on the guide to setting up your own HTTPS site. Keep in mind, it's geared towards a less technically-savvy audience, so some things might not be entirely correct, but simplifications of the truth. As the title of the post says, I'm not selling anything. I didn't even use my NameCheap referral link in the guide - just FYI.

«13

Comments

  • ztecztec Member
    edited February 2013

    Nice, I didn't check if you already have this, but you should put in some affiliate links and create a youtube video to direct some traffic. It's not criminal to make money.

  • shovenoseshovenose Member, Host Rep

    Useful.

  • Looks nice, even though I knew most of the stuff on your site, people who don't will definitely find it useful. It's clean and easy to read.

  • @shovenose @BrightBull - Thanks
    @ztec I know that, but I want to appear as unbiased as possible. This is purely an informative site, not a moneymaking venture.

  • shovenoseshovenose Member, Host Rep

    See this one of those sites to bookmark and link ignorant clients to :)

  • Great site, especially the tutorial may come in handy!

  • You could save $1.99 by using startssl...

  • Great work :D

  • @tehdan said: You could save $1.99 by using startssl...

    Yeah but browser recognition is mehh...

  • WunderbarWunderbar Member
    edited February 2013

    @DStrout said: Yeah but browser recognition is mehh...

    I don't have problems on any browser (including mobile devices) with StartSSL.

  • @Wunderbar said: I don't have problems on any browser (including mobile devices) with StartSSL.

    Hmmm... well, I could be wrong. Last I heard of them they weren't well-recognized. I'm checking them out now, I'll have to see if it's worth updating the tutorial. Simplicity is a factor here as well as cost.

  • @DStrout like the layout BTW. I don't agree with all of your points though. You are somewhat likening a self signed certificate to a commercial SSL certificate issued by a Trusted Certificate Authority. At least I am looking at your text now and I can certainly garner some comparisons. Inherently this is an attack of the very nature of CAs. And my experience tells me there is more to this 'information' than just your opinions, no offense. Did you have a bad experience or tough time setting up recently..?

  • edited February 2013

    Unless we're talking EV-type certificates with the green bar, digital certificates are indicative of nothing more than a secure connection between your browser and their server; nothing more.

    I'd have to disagree with what appears to be the, seemingly, overall point of your Web site. I'd say that your "some things might not be entirely correct" comment is somewhat of an understatement. With such a Web site, the information should be correct.

  • DStroutDStrout Member
    edited February 2013

    @natestamm - CAs are all well and good, but practically speaking, other than the lack of browser security warnings, what is the difference between a CA-signed certificate and a self-signed one? Verification of domain ownership? What is the point of that, really? I make it relatively clear on the site that you can't just get a CA-signed cert for a domain you don't own. My point is that I could go and register mybankofameri.ca right now, get a CA cert for it, and make a fake, identity-stealing website with the CA's seal of "security" behind it, all for less than $30. That is troubling, and that is what I want people to be aware of. No bad experience, just the realization of how lax this "security" is.

    @JS_James I completely agree with your first paragraph, and that's what I tried to express on the site. What information, specifically, do you regard as incorrect, considering the above?

    Sorry in advance if this sounds like I'm mad, really it's just the more rant-like version of what I posted on the site. Thank you both for your opinions.

  • @DStrout I'm glad I didn't turn you off because I did get that point coming through so didn't mean to suggest it was from a bad play. But your points seems to be a little all over the place so my, very logical brain was just having trouble with it. You're really though getting more into social engineering here. PayPal has been dealing with this problem for a long time. If THAT is your point then I think you're missing the true intention of SSL certificates.

    The point of an SSL cert is not so your average customer looks at the top of their address bar, sees a closed lock or a green bar and says "Wow am I glad this site is using SSL, whew!", the point is the encryption itself That @JS_James pointed out.

    I am adding this in just to ramble But, compliance testing, regularly, and a nice shiny seal will do more to establish trust than SSL.

    I also don't think your steps are really good to put out there for everyone. This is why lots of commercial sites have links to ~every server technology with a basic Howto. Some of your steps are flat out not necessary, ie I received my bundle in one file. Certificate in another,, you have that extra step throwing together your bundle there.

    But I certainly feel comfortable having SSL setup as a minimum for an ecommerce site. If you feel EV itself solves some of the aforementioned issues, I think that should be your point.

    And sorry to ramble. Hey go ramble back! I work from home, this site is my life blood.

  • I think I also see a basic misunderstanding here. May be it is again just a difference in opinions.

    I suppose someone could see the https and think the web site is secure. But what is a secure web site if not simply a secure connection to the server erm, serving the files (at minimum at least)? It is your connection that is secured. This should not insinuate to anyone that they can trust the site. I think you're playing with trust and security as it suites the guide on the site. But I still don't think it's all off base. But secure? Sure it is. Even your fake phishing site is. Now, defined security as a stranger should interpret it. I'll stay away from that one!

  • @natestamm said: to establish trust than SSL.

    Well said @natestamm :)

  • I have a whole page dedicated to the whole security vs. encryption thing. If you read it, the main point that is made is that people see the HTTPS, which indicates encryption, and think that that means they have guaranteed security. Security means that their data is safe from theft, i.e. that only the intended recipient can see it (e.g. their bank). Here is what I mean:
    Average Joe User logs on to bankofamerica.com and sees that his address bar says https://www.bankofamerica.com. Since the S is there, he assumes (probably correctly) that his connection is secure. Only his bank receives his login details when he types them in.
    Next day, AJU (Average Joe User) gets an e-mail from his bank saying they need him to confirm some information. He clicks the link and goes to https://mybankofameri.ca/. The S is still there, so the connection is still secure, right? He types in his login details and is shocked next month to see a bunch of weird charges on his account.
    We know what happened. He saw the S the second time, but though it meant his connection was encrypted, it was not secure, because someone other than his bank got his login info. I tried to define security and encryption in ways useful to the discussion - make sure you understand the definitions I used, because they're important.

  • Very nice. On quick look, there was nothing new information for me but it will be useful for many others :)

    +1 for ya.

  • @DStrout said: The S is still there, so the connection is still secure, right?

    Sure it is. And I totally feel ya. I just wouldn't go assuming what https means. I think you and I might disagree that a majority of people Trust the brand behind the site due to this. I don't think they do, and I think it would be a mistake to think that.




    My point is only that the certificate serves a different purpose. If you would want to use your example as a reason to revamp low level encryption and do away with commercial certificates I just think that's misunderstanding their purpose. But I can't try to give a logical argument that is at once for EV and against DV or OV what have ya. Any developer worth their weight should try to push for the highest level of validation if they can. It was just reading your site-that I felt may be your real intentions could be brought to surface here and you could work on making it a little more concise. Those graphics you have there are hurting my brain.



    Not that there aren't a few already, But what a good chance to focus the site not just around information but perhaps, to make it a tool to use that can evaluate information from an https query, the certificate, perhaps a full fledged SSL monitoring or advice site...with useful tools ya know, automate that shit. Make the computer tell people what they NEED to hear they don't want to read your gray on gray babble that's been regurgitated from Google, know what I'm saying (don't take that the wrong way!)? And THEN put in the link to your affiliate EV program. Kidding.

  • Let me try again. I don't like to lead by example in any aspect of my life But I'll give it a go. Let's say you have a VPN. I've worked with many companies that do. The ones that have real security minded IT people will not even consider letting you access that network until they have your machine in front of them, with a chance to completely evaluate your EXISTING files and installation. Perhaps even requiring a complete reinstall to company spec, before they give it up. Why you ask? A VPN is up there with the highest levels of security right? Wrong. Give me a good .NET programmer, or any one who has spent any time with VB. They could have a script written tapping into the Windows API doing a gazillion things you couldn't even imagine as if you were sitting right there. This is just computing basics. It's really why I'm a fan of going with the bare minimum, even with SSL, until you're ready to play with the big boys. It's the same reason I scoff at pam and cram and md5 and tls auth with mail accounts. Sure throw it on, your compliance company might even require it. But your mail server will ultimately only be as secure as the passwords referencing the accounts. Just my two, I'm getting jaded I think. Any one trusting any brand right now, especially in this economic 'climate', based solely on seeing five characters, and trusting their life savings based on one character, is really not using muscle number one.

  • @DStrout and don't listen to most of what I said. I don't personally like being one to assume any thing either way. I had a lot of success in my projects today so I'm happy to troll LET and ramble. You're right in your basic mindset. In this world if some thing can be misconstrued there is opportunity for change. Whether one might consider it an improvement or not, meh. Did I mention I like that layout? Learn some thing new every day. I think I got me a new source for micro sites!

  • DStroutDStrout Member
    edited February 2013

    @natestamm said: I think you and I might disagree that a majority of people trust the brand behind the site due to [HTTPS]. I don't think they do, and I think it would be a mistake to think that.

    Now we get to the heart of the matter. So here's the deal: I tried to make a site that would explain to mom (maybe even grandmom, if I'm really lucky and have an astonishingly smart grandmom) the difference between HTTPS and actual guarantee of 100% secure transactions, based on a debunking of what HTTPS is and is meant for. The problem is, no one, from grandmom on down, knows or wants to know the whole chain of a connection to a website that requires personal info. I agree with you that there are so many places where it can go wrong; the HTTPS connection being just one of them. But in my experience at least, I have seen far too much trust placed in an HTTPS certificate. Thus, if nothing else, I wanted to show how easy they are to come by to "prove" that they are not reliable. So at the core of this site is this assumption that you and I disagree on. But the assumption is about the majority of people. Even if you are right and the majority of people don't place too much trust in HTTPS, at least my site is useful for the minority that do.

    As I think about it, maybe I should go through the site and clarify in straightforward terms what HTTPS does and doesn't do, like so:
    HTTPS does:
    Encrypt your connection to the computer that displays the website (straightforward terms, remember. "Server" is more concise, but less clear. Anyway, moving on...)
    Usually prevent people from easily claiming to be the exact website you're looking for, e.g. if you're looking at https://www.bankofamerica.com/, it's unlikely to be forged

    HTTPS does not:
    Guarantee that your data will only be sent to who you want it to be sent to (e.g. your credit card info is being sent to Amazon and only Amazon)

    That is fairly clear, and with a disclaimer about HTTPS only being one step in the chain, I think all bases are covered. The problem is, as you indicated, that it's very difficult to just cover the security (or lack thereof) of one particular technology without going in to lots of related ones.

  • @natestamm said: the point is the encryption itself

    This.

  • @DStrout I'm with you brother. It's your terms, some of them that you're still using that I am really over analyzing. And I don't even want to say why because it would just be redundant. Just be careful with those words. As long as the cert isn't broken it is a secure connection and it is doing it's job encrypting your data. If grandma is using Windows and she wants to be sure of the websites she is visiting she should also just give her hosts file a quick check. In the spirit of that logic I just feel that, combined with some wording that makes me wince we're somewhat focused on the wrong thing.

    But maybe not. All of this, your points and mine are really the reason to go EV. It's hard to ignore that from my POV. Your clarifications on the site would be much welcomed it's just....and sorry, again...I'd hate to see a site like that being used with any intention to selling a product. Even purporting EV makes the security analyst in my groan based on that info. But it still doesn't make it a bad idea. The logic of this makes me divulge to domain verification, ergo EV regardless. So it's good stuff either way.

    Just don't say any thing like because of the 's' it's unlikely to be forged. You yourself proved it can be, I guess. Fake phishing sites have been a plague for a long time. At the risk of being rude I just feel like I'm looking at this from a higher hill. I've helped quite a few companies who had CMS intrusions where having a thousand dollar certificate wouldn't have helped the fake phishing site that was installed in the nether reaches of their system. Domain verification is very important to me because of this, the guy that accidentally hit that fake site you mentioned might have avoided his problems by simply reading his ToS from the bank, or the numerous alerts and advisements Banks put out to their customers in paper and digital form to be wary of these types of things. Look at PayPal they have quite a bit of content devoted to screening incoming mail. Which really is why I don't agree with your example in the first place. That link, at least as it appears in the message body, along with the message headers themselves-could be completely forged. But don't take that to mean I don't follow you. Really the nerves you're touching on in the community with security on a whole are dangerous-because you're right. But from a starting point for what the cert was intended for, not necessarily a reason to NOT get yourself a nice cheap cert, trust from your end as a business owner that it is doing its job, and for some measure of that trust that your clients know they are sending data over an encrypted connection.



    You have some great points. One up for EV and glasses for grandma.

  • DStroutDStrout Member
    edited February 2013

    I'm really agreeing with what you're saying for the most part, but the problem is I can't effectively address all these issues on my site. For one thing, they're just too complicated and I don't want to venture too far outside the scope of the site, namely HTTPS. For another thing, I'm running out of room in the navigation bar :) Seriously though, it would be great if there was a way to put together a site that covers the whole security of the whole TCP/IP stack that grandma could not only understand, but also be interested in. If I erred somewhat in my explanations, it was for the case of brevity/simplicity so that grandma wouldn't get too bored.

    I have an idea. I'm thinking an interactive is-this-the-site-you're-looking-for game-style system. After reading the first two pages of the site, users go to a mockup of IE displaying several versions of a (fictional) bank's website - some real, some forged. If they can guess which ones are which, they... well, they at least are better prepared. It would take some doing, but it would be much more enjoyable for them. What do you think? (includes everybody here, even if this post has come down to a lot more of nate and me).

  • oLutionoLution Member

    site is down.
    any plans to bring it back online ?

  • DStroutDStrout Member

    Unfortunately I made a stupid mistake and lost the files. (No, not rm -rf, I accidentally destroyed the DigitalOcean box - even more thorough) I believe I still have the text content, but I'd have to reissue the SSL certificate and make the images again. If y'all do want it back, I'll put it on the to do list though.

  • I'd love for it to be back online :)

  • JanevskiJanevski Member
    edited May 2013

    @DStrout I am getting connection timed out when i try to access the page. If possible I would like to see the site online, so I can check it out. :) I've red Your post, it seems like a nice idea.

Sign In or Register to comment.