Bitcoin Forum
April 17, 2014, 01:10:23 AM *
News: ♦♦ A bug in OpenSSL, used by Bitcoin-Qt/Bitcoin Core, could allow your bitcoins to be stolen. Immediately updating Bitcoin Core to 0.9.1 is required in some cases, especially if you're using 0.9.0. Download. More info.
The same bug also affected the forum. Changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Blockchain.info should switch to SSL by default  (Read 1824 times)
ripper234
Hero Member
*****
Offline Offline

Activity: 1092


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 11:25:59 AM
 #1

Currently blockchain.info supports SSL, but doesn't require it. If you go to either http://blockchain.info/ or https://blockchain.info/ and search for a bitcoin address, it works.

I propose that the homepage will always redirect from http://blockchain.info/ to https://blockchain.info/
After this redirect, any search a user does on this site will be on SSL by default.

The purpose is to make it a bit harder on men-in-the-middle (e.g. ISPs) to capture any traffic that helps them analyze which users searched which addresses.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Pre-order Cloud Mining Power. Cheapest price.
2 Ph/s in stock.
INVEST NOW  >

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1397697023
Hero Member
*
Offline Offline

Posts: 1397697023

View Profile Personal Message (Offline)

Ignore
1397697023
Reply with quote  #2

1397697023
Report to moderator
1397697023
Hero Member
*
Offline Offline

Posts: 1397697023

View Profile Personal Message (Offline)

Ignore
1397697023
Reply with quote  #2

1397697023
Report to moderator
naphto
Sr. Member
****
Offline Offline

Activity: 294


View Profile

Ignore
June 14, 2013, 11:46:33 AM
 #2

Why not? But not compulsory.
That would prevent me from sleeping ...

BTC.sx - Leveraged Bitcoin Trading. Simply use Bitcoin to take advantage of a rising or falling Bitcoin price.
lucasjkr
Full Member
***
Offline Offline

Activity: 238


View Profile

Ignore
June 14, 2013, 02:46:14 PM
 #3

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
SgtSpike
Hero Member
*****
Offline Offline

Activity: 1106


Firstbits: 18tkn


View Profile WWW

Ignore
June 14, 2013, 03:01:47 PM
 #4

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.

ianp
Full Member
***
Offline Offline

Activity: 154



View Profile

Ignore
June 14, 2013, 03:24:31 PM
 #5

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.

You are correct.

5-Day ASICMINER Hashing Chart

14ijj51xWNaV1sBwrBGkjudVZpwHTNeppG
ripper234
Hero Member
*****
Offline Offline

Activity: 1092


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 04:28:52 PM
 #6

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
lucasjkr
Full Member
***
Offline Offline

Activity: 238


View Profile

Ignore
June 14, 2013, 05:12:56 PM
 #7

I take back what I said, and am instead pleasantly surprised.  I had always been under the impression that GET requests were inherently insecure, even over HTTPS. Google'd a bit just now and my understanding is now corrected.
tinus42
Sr. Member
****
Offline Offline

Activity: 364



View Profile

Ignore
June 14, 2013, 05:55:57 PM
 #8

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.

BTC.sx - Leveraged Bitcoin Trading. Profit from a rising or falling Bitcoin price.
Abdussamad
Sr. Member
****
Offline Offline

Activity: 420


Hello world!


View Profile WWW

Ignore
June 14, 2013, 06:01:58 PM
 #9

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.

SgtSpike
Hero Member
*****
Offline Offline

Activity: 1106


Firstbits: 18tkn


View Profile WWW

Ignore
June 14, 2013, 06:35:39 PM
 #10

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.
Which is why I agree with you that, if https were to be implemented for search queries, it should start at the homepage.

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.
But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

ripper234
Hero Member
*****
Offline Offline

Activity: 1092


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 07:56:43 PM
 #11

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
zedicus
Sr. Member
****
Offline Offline

Activity: 392



View Profile

Ignore
June 14, 2013, 08:05:09 PM
 #12

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.




Indeed!~


But SgtSpike is right! Server load and costs will increase and  SSL on every page will slow it all down for sure!

BTC :   1A29gJEFXB2yJ7kVVmR7xrnZTj4yeumwyU
Abdussamad
Sr. Member
****
Offline Offline

Activity: 420


Hello world!


View Profile WWW

Ignore
June 15, 2013, 01:44:40 AM
 #13

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

ripper234
Hero Member
*****
Offline Offline

Activity: 1092


Ron Gross


View Profile WWW

Ignore
June 15, 2013, 04:16:49 AM
 #14

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Abdussamad
Sr. Member
****
Offline Offline

Activity: 420


Hello world!


View Profile WWW

Ignore
June 15, 2013, 05:06:19 AM
 #15

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Compared to a dynamic site. Specifically a site running a copy of the glype proxy script. Very dynamic - every single request including those for images and other linked content goes through a PHP file. Only caching is APC PHP bytecode caching. No database usage, which is different from blockchain.info, but still you get the idea.

HTTPS increases resource usage significantly. This is what my experience has taught me.

ripper234
Hero Member
*****
Offline Offline

Activity: 1092


Ron Gross


View Profile WWW

Ignore
June 15, 2013, 05:22:30 AM
 #16

HTTPS increases resource usage significantly. This is what my experience has taught me.

OK then.
The right course of action would be to measure the specific data on blockchain.info and decide.
In any case, I installed HTTP everywhere myself.

Please do not pm me, use ron@mastercoin.org instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
pembo210
Member
**
Offline Offline

Activity: 61



View Profile

Ignore
June 16, 2013, 12:16:05 AM
 #17

What about a way to see just the basic info without loading the full page and images?
Like 5 last incoming/outgoing or balance?

Edit: like the way https://blockchain.info/q/getblockcount shows only text,
show only:   
last   {in/out, amount, to/from account, #of confirms, time/date, balance}
2 ago {in/out, amount, to/from account, #of confirms, time/date, balance}
3 ago {in/out, amount, to/from account, #of confirms, time/date, balance}

BTC: 1Pemboia8GbXizfT9y5cX8gLQhDYpqigS3
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!