Blockchain.info should switch to SSL by default

[ripper234]

Currently blockchain.info supports SSL, but doesn't require it. If you go to either http://blockchain.info/ or https://blockchain.info/ and search for a bitcoin address, it works.

I propose that the homepage will always redirect from http://blockchain.info/ to https://blockchain.info/
After this redirect, any search a user does on this site will be on SSL by default.

The purpose is to make it a bit harder on men-in-the-middle (e.g. ISPs) to capture any traffic that helps them analyze which users searched which addresses.

[1715446748]

1715446748

[naphto]

Why not? But not compulsory.
That would prevent me from sleeping ...

[lucasjkr]

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.

[SgtSpike]

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.

Correct me if I am wrong, but URLs are encrypted in SSL as well.

[ianp]

So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.

Correct me if I am wrong, but URLs are encrypted in SSL as well.

You are correct.

[ripper234]

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.

[lucasjkr]

I take back what I said, and am instead pleasantly surprised.  I had always been under the impression that GET requests were inherently insecure, even over HTTPS. Google'd a bit just now and my understanding is now corrected.

[tinus42]

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.

[Abdussamad]

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.

[SgtSpike]

Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.

Which is why I agree with you that, if https were to be implemented for search queries, it should start at the homepage.

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

[ripper234]

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

[zedicus]

Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.

Indeed!~


But SgtSpike is right! Server load and costs will increase and  SSL on every page will slow it all down for sure!

[Abdussamad]

But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

[ripper234]

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

[Abdussamad]

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Compared to a dynamic site. Specifically a site running a copy of the glype proxy script. Very dynamic - every single request including those for images and other linked content goes through a PHP file. Only caching is APC PHP bytecode caching. No database usage, which is different from blockchain.info, but still you get the idea.

HTTPS increases resource usage significantly. This is what my experience has taught me.

[ripper234]

HTTPS increases resource usage significantly. This is what my experience has taught me.

OK then.
The right course of action would be to measure the specific data on blockchain.info and decide.
In any case, I installed HTTP everywhere myself.

[pembo210]

What about a way to see just the basic info without loading the full page and images?
Like 5 last incoming/outgoing or balance?

Edit: like the way https://blockchain.info/q/getblockcount shows only text,
show only:   
last   {in/out, amount, to/from account, #of confirms, time/date, balance}
2 ago {in/out, amount, to/from account, #of confirms, time/date, balance}
3 ago {in/out, amount, to/from account, #of confirms, time/date, balance}