Bitcoin Forum
August 30, 2015, 03:55:50 PM *
News: New! Latest stable version of Bitcoin Core: 0.11.0 [Torrent]
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Blockchain.info should switch to SSL by default  (Read 2432 times)
ripper234
Legendary
*
Offline Offline

Activity: 1232


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 11:25:59 AM
 #1

Currently blockchain.info supports SSL, but doesn't require it. If you go to either http://blockchain.info/ or https://blockchain.info/ and search for a bitcoin address, it works.

I propose that the homepage will always redirect from http://blockchain.info/ to https://blockchain.info/
After this redirect, any search a user does on this site will be on SSL by default.

The purpose is to make it a bit harder on men-in-the-middle (e.g. ISPs) to capture any traffic that helps them analyze which users searched which addresses.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
PACMiC V3 Now 33% less per TH/s. Available only on HashNest
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
1440950150
Hero Member
*
Offline Offline

Posts: 1440950150

View Profile Personal Message (Offline)

Ignore
1440950150
Reply with quote  #2

1440950150
Report to moderator
naphto
Sr. Member
****
Offline Offline

Activity: 336


View Profile

Ignore
June 14, 2013, 11:46:33 AM
 #2

Why not? But not compulsory.
That would prevent me from sleeping ...

lucasjkr
Hero Member
*****
Offline Offline

Activity: 504


View Profile WWW

Ignore
June 14, 2013, 02:46:14 PM
 #3

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile

Ignore
June 14, 2013, 03:01:47 PM
 #4

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.
ianp
Full Member
***
Offline Offline

Activity: 154



View Profile

Ignore
June 14, 2013, 03:24:31 PM
 #5

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.

You are correct.

5-Day ASICMINER Hashing Chart

14ijj51xWNaV1sBwrBGkjudVZpwHTNeppG
ripper234
Legendary
*
Offline Offline

Activity: 1232


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 04:28:52 PM
 #6

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
lucasjkr
Hero Member
*****
Offline Offline

Activity: 504


View Profile WWW

Ignore
June 14, 2013, 05:12:56 PM
 #7

I take back what I said, and am instead pleasantly surprised.  I had always been under the impression that GET requests were inherently insecure, even over HTTPS. Google'd a bit just now and my understanding is now corrected.
tinus42
Sr. Member
****
Offline Offline

Activity: 434



View Profile

Ignore
June 14, 2013, 05:55:57 PM
 #8

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.
Abdussamad
Legendary
*
Offline Offline

Activity: 840



View Profile WWW

Ignore
June 14, 2013, 06:01:58 PM
 #9

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.

SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile

Ignore
June 14, 2013, 06:35:39 PM
 #10

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.
Which is why I agree with you that, if https were to be implemented for search queries, it should start at the homepage.

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.
But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.
ripper234
Legendary
*
Offline Offline

Activity: 1232


Ron Gross


View Profile WWW

Ignore
June 14, 2013, 07:56:43 PM
 #11

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
zedicus
Hero Member
*****
Offline Offline

Activity: 602



View Profile

Ignore
June 14, 2013, 08:05:09 PM
 #12

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.




Indeed!~


But SgtSpike is right! Server load and costs will increase and  SSL on every page will slow it all down for sure!
Abdussamad
Legendary
*
Offline Offline

Activity: 840



View Profile WWW

Ignore
June 15, 2013, 01:44:40 AM
 #13

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

ripper234
Legendary
*
Offline Offline

Activity: 1232


Ron Gross


View Profile WWW

Ignore
June 15, 2013, 04:16:49 AM
 #14

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Abdussamad
Legendary
*
Offline Offline

Activity: 840



View Profile WWW

Ignore
June 15, 2013, 05:06:19 AM
 #15

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Compared to a dynamic site. Specifically a site running a copy of the glype proxy script. Very dynamic - every single request including those for images and other linked content goes through a PHP file. Only caching is APC PHP bytecode caching. No database usage, which is different from blockchain.info, but still you get the idea.

HTTPS increases resource usage significantly. This is what my experience has taught me.

ripper234
Legendary
*
Offline Offline

Activity: 1232


Ron Gross


View Profile WWW

Ignore
June 15, 2013, 05:22:30 AM
 #16

HTTPS increases resource usage significantly. This is what my experience has taught me.

OK then.
The right course of action would be to measure the specific data on blockchain.info and decide.
In any case, I installed HTTP everywhere myself.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
pembo210
Member
**
Offline Offline

Activity: 74



View Profile

Ignore
June 16, 2013, 12:16:05 AM
 #17

What about a way to see just the basic info without loading the full page and images?
Like 5 last incoming/outgoing or balance?

Edit: like the way https://blockchain.info/q/getblockcount shows only text,
show only:   
last   {in/out, amount, to/from account, #of confirms, time/date, balance}
2 ago {in/out, amount, to/from account, #of confirms, time/date, balance}
3 ago {in/out, amount, to/from account, #of confirms, time/date, balance}

BTC: 1Pemboia8GbXizfT9y5cX8gLQhDYpqigS3
LTC: LScJUUWec5imTGSD5AQ6F3FrkRwAMAn6ab
DOGE: DTHEMoonLYJyQ548ti6Mg8eX9mBg6TXgEn
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!