|
Title: Blockchain.info should switch to SSL by default Post by: ripper234 on June 14, 2013, 11:25:59 AM Currently blockchain.info supports SSL, but doesn't require it. If you go to either http://blockchain.info/ or https://blockchain.info/ and search for a bitcoin address, it works.
I propose that the homepage will always redirect from http://blockchain.info/ to https://blockchain.info/ After this redirect, any search a user does on this site will be on SSL by default. The purpose is to make it a bit harder on men-in-the-middle (e.g. ISPs) to capture any traffic that helps them analyze which users searched which addresses. Title: Re: Blockchain.info should switch to SSL by default Post by: naphto on June 14, 2013, 11:46:33 AM Why not? But not compulsory.
That would prevent me from sleeping ... Title: Re: Blockchain.info should switch to SSL by default Post by: lucasjkr on June 14, 2013, 02:46:14 PM So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:
https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8 See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao" The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything. Title: Re: Blockchain.info should switch to SSL by default Post by: SgtSpike on June 14, 2013, 03:01:47 PM So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact: Correct me if I am wrong, but URLs are encrypted in SSL as well.https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8 See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao" The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything. Title: Re: Blockchain.info should switch to SSL by default Post by: ianp on June 14, 2013, 03:24:31 PM So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact: Correct me if I am wrong, but URLs are encrypted in SSL as well.https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8 See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao" The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything. You are correct. Title: Re: Blockchain.info should switch to SSL by default Post by: ripper234 on June 14, 2013, 04:28:52 PM Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.
Title: Re: Blockchain.info should switch to SSL by default Post by: lucasjkr on June 14, 2013, 05:12:56 PM I take back what I said, and am instead pleasantly surprised. I had always been under the impression that GET requests were inherently insecure, even over HTTPS. Google'd a bit just now and my understanding is now corrected.
Title: Re: Blockchain.info should switch to SSL by default Post by: tinus42 on June 14, 2013, 05:55:57 PM Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:
https://www.eff.org/https-everywhere But yes it would be better if it was the default. Title: Re: Blockchain.info should switch to SSL by default Post by: Abdussamad on June 14, 2013, 06:01:58 PM HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.
If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark. Title: Re: Blockchain.info should switch to SSL by default Post by: SgtSpike on June 14, 2013, 06:35:39 PM Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised. Which is why I agree with you that, if https were to be implemented for search queries, it should start at the homepage.HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people. But there's this too. It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark. Title: Re: Blockchain.info should switch to SSL by default Post by: ripper234 on June 14, 2013, 07:56:43 PM But there's this too. It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users. Only piuk can say if this is a meaningful cost or a negligible one. HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources. Title: Re: Blockchain.info should switch to SSL by default Post by: zedicus on June 14, 2013, 08:05:09 PM Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page: https://www.eff.org/https-everywhere But yes it would be better if it was the default. Indeed!~ But SgtSpike is right! Server load and costs will increase and SSL on every page will slow it all down for sure! Title: Re: Blockchain.info should switch to SSL by default Post by: Abdussamad on June 15, 2013, 01:44:40 AM But there's this too. It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users. Only piuk can say if this is a meaningful cost or a negligible one. HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources. HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot. Title: Re: Blockchain.info should switch to SSL by default Post by: ripper234 on June 15, 2013, 04:16:49 AM HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot. Yeah, but compared to what? When the baseline is a static content site, sure. When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant. Title: Re: Blockchain.info should switch to SSL by default Post by: Abdussamad on June 15, 2013, 05:06:19 AM HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot. Yeah, but compared to what? When the baseline is a static content site, sure. When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant. Compared to a dynamic site. Specifically a site running a copy of the glype proxy script. Very dynamic - every single request including those for images and other linked content goes through a PHP file. Only caching is APC PHP bytecode caching. No database usage, which is different from blockchain.info, but still you get the idea. HTTPS increases resource usage significantly. This is what my experience has taught me. Title: Re: Blockchain.info should switch to SSL by default Post by: ripper234 on June 15, 2013, 05:22:30 AM HTTPS increases resource usage significantly. This is what my experience has taught me. OK then. The right course of action would be to measure the specific data on blockchain.info and decide. In any case, I installed HTTP everywhere myself. Title: Re: Blockchain.info should switch to SSL by default Post by: pembo210 on June 16, 2013, 12:16:05 AM What about a way to see just the basic info without loading the full page and images?
Like 5 last incoming/outgoing or balance? Edit: like the way https://blockchain.info/q/getblockcount shows only text, show only: last {in/out, amount, to/from account, #of confirms, time/date, balance} 2 ago {in/out, amount, to/from account, #of confirms, time/date, balance} 3 ago {in/out, amount, to/from account, #of confirms, time/date, balance} |