|
Title: btc.to needs to use https Post by: jimbobway on July 28, 2011, 03:59:01 PM If you guys are out there you guys really need to use https instead of just http for your calls. It is not safe without it.
Title: Re: btc.to needs to use https Post by: jostmey on July 28, 2011, 10:48:33 PM Why?
They are a URL shorten-er. The URL request is not encrypted over HTTPs if my memory serves me correctly. So it would not bring any added security, and it would just slow down their website. Their are many reasons why to not use HTTPs, or to at least not use HTTPs on every page.
Title: Re: btc.to needs to use https Post by: Chick on July 28, 2011, 11:39:46 PM If you guys are out there you guys really need to use https instead of just http for your calls. It is not safe without it. From someone who doesn't understand shit about how the web works. Could you please tell me why https would provide even a tiny shit of protection? The only thing I can see coming out of this is increased bandwidth usage and slower pages. "Oh ho ho, you guys need https because it protects public Bitcoin addresses from being intercepted!" Title: Re: btc.to needs to use https Post by: jimbobway on July 29, 2011, 04:25:11 AM He's right. The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks. Currently. someone could change the return value of http://btc.to/1 from the real address to their own address. That being said we've always planned on adding it, we were just waiting to see if btc.to would get some real traction with users. At this point we feel it has and will be adding HTTPS as well as HSTS (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) soon so no matter how you access it you'll always be protected using HTTPS. We'll also start publishing our entire DB shortly so that people can verify for themselves we aren't manipulating the shortened addresses. Thank you very much for your response. Title: Re: btc.to needs to use https Post by: theymos on July 29, 2011, 05:47:11 AM I don't think it needs to be the default, though it should be supported if it isn't already.
The URL request is not encrypted over HTTPs if my memory serves me correctly. Wrong. Title: Re: btc.to needs to use https Post by: wumpus on July 29, 2011, 06:18:44 AM He's right. The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks. Currently. someone could change the return value of http://btc.to/1 from the real address to their own address. ^^ ExactlyAlso "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security. Title: Re: btc.to needs to use https Post by: theymos on July 29, 2011, 06:53:14 AM Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security. The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay. I performed a simple test on http://blockexplorer.com/q/getblockcount . The HTTP version took 0.24 seconds, while the HTTPS version took 1.00 second. (This is due mostly to the handshake: additional requests would take almost the same time.) Title: Re: btc.to needs to use https Post by: wumpus on July 29, 2011, 08:01:45 AM The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay. That's only for the first access. After that, the session can be cached. Also, there has been a lot of work (by Google, for example) in removing the extra roundtrip which is in newer browsers and webservers. See how fast gmail.com is *with* HTTPS?It really is a non-issue these days. Just use HTTPS. If it's noticably slower you're using old broken software (either browser or webserver). And even with a slight delay, the added security is worth it. |