Bitcoin Forum
December 05, 2016, 10:53:50 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: This server is overloaded?  (Read 3521 times)
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
November 20, 2010, 01:19:44 PM
 #21

I agree that plain http is better for static non-restricted stuff such as images, css, js, which is perfectly cachable. The main problem is that you can't use http images in https sites without creating browser warnings (the reason for this being insertion/xss attacks). A compromised cached proxy server could insert arbitrary images/css/js (and thus, scripts) into your site. (This could be solved if http supported content signing and checking on import, but that'd require browser and protocol changes)

I know all of this already. You're preaching to the choir. Smiley

Eventually security will trump bandwidth and CPU concerns, as people will trust more of their life to internet, and it becomes easier and easier for laymen to sniff plaintext connections and hijack connections (firesheep et al).
You can see it now with gmail, hotmail switching to https. That's only the beginning, many more are on the verge of switching.

Oh sure. Webmail should have always had SSL. I'm surprised they went this long without it. I'm sure that back when Hotmail started the CPU overhead would have killed them. I know this isn't the case now.

SSL is a PITA for content delivery. It just won't fly. If I can't let ISPs cache my content I need 10x the amount of servers. Not to mention my site slows down because the ability for ISPs to cache my content local to a particular geographic region isn't possible.

SSL also doesn't stop MITM/sniffing problems since no browser cares when SSL certs change. Until browsers ship with a plugin like Certificate Patrol (for FF), SSL won't save anyone from these attacks.

Food for thought.. Smiley
1480935230
Hero Member
*
Offline Offline

Posts: 1480935230

View Profile Personal Message (Offline)

Ignore
1480935230
Reply with quote  #2

1480935230
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480935230
Hero Member
*
Offline Offline

Posts: 1480935230

View Profile Personal Message (Offline)

Ignore
1480935230
Reply with quote  #2

1480935230
Report to moderator
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
November 20, 2010, 01:27:20 PM
 #22

SSL is a PITA for content delivery. It just won't fly. If I can't let ISPs cache my content I need 10x the amount of servers. Not to mention my site slows down because the ability for ISPs to cache my content local to a particular geographic region isn't possible.
Well, we don't really have ISP-based caching servers here in Europe, and it works OK. Most companies do their own frontend/backend caching.

And for paid content you want security in place anyway. Although my argument was not for youtube-like services. More like forums, communication, chat, mail, identification, etc... The things for which security matters.
Quote
SSL also doesn't stop MITM/sniffing problems since no browser cares when SSL certs change. Until browsers ship with a plugin like Certificate Patrol (for FF), SSL won't save anyone from these attacks.
It doesn't stop all attacks but is significantly more secure than plaintext. Nothing ever is fully secure, that is not an argument for lower security, ever!

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
November 20, 2010, 01:36:22 PM
 #23

Well, we don't really have ISP-based caching servers here in Europe, and it works OK. Most companies do their own frontend/backend caching.

Are you sure? Tons of ISPs do transparent caching.

And for paid content you want security in place anyway.

Security != encryption. For paid content (small static files), I'd choose http over https any day. For handling logins/sensitive information I'd use SSL. There is no reason to SSL an entire site. Especially when the content is public anyway.

It doesn't stop all attacks but is significantly more secure than plaintext. Nothing ever is fully secure, that is not an argument for lower security, ever!

That's not what I meant. I was pointing out that SSL isn't a "cure all" for MITM/sniffing attacks. If the browsers got their $hit together when it came to SSL it would be far better than it currently is.
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
November 20, 2010, 01:52:42 PM
 #24

it's way overdue anyway for the entire web to switch to https

Although my argument was not for youtube-like services. More like forums, communication, chat, mail, identification, etc... The things for which security matters.

These two statements are contradictory.
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
November 20, 2010, 01:57:00 PM
 #25

Yes, it might be. I just remembered that even digital cable TV is encrypted these days.

Even with public files, one does not necessarily want everyone to know he/she is accessing them. And someone that is sniffing can see all http requests, including full path.

You are only reasoning from the side of the service provider, not the side of your customer. In my opinion, there is no reason to not simply encrypt everything. Better be safe than sorry.



Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
The Madhatter
Hero Member
*****
Offline Offline

Activity: 490


My avatar pic says it all


View Profile
November 20, 2010, 02:14:31 PM
 #26

Yes, it might be. I just remembered that even digital cable TV is encrypted these days.

Sure. That is their form of access control. They broadcast their streams 24/7 to everyone. (Sometimes even to those who don't need/want the signal.) To prevent theft they scramble all of the content and rent you a box to decode it.

The Internet doesn't work the same way. The Internet has a lot of public content that has no need for encryption (you already mentioned YouTube) and you propose that we encrypt it and make the Internet slower? Why exactly? Just 'because we can'?

Even with public files, one does not necessarily want everyone to know he/she is accessing them. And someone that is sniffing can see all http requests, including full path.

With all of the SSL MITM/sniffing stuff aside, the IP connections can still be logged and the data flows measured. What you are doing can still be assumed. You can still be implicated for connecting to a naughty site, etc.

For example, say you connect to an adult site from work and this site is entirely https. Your boss still knows you were looking at porn on company time. He cares not which individual image or video you downloaded.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!