Bitcoin Forum
December 09, 2016, 04:02:58 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: btc.to needs to use https  (Read 948 times)
jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
July 28, 2011, 03:59:01 PM
 #1

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.

░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481256178
Hero Member
*
Offline Offline

Posts: 1481256178

View Profile Personal Message (Offline)

Ignore
1481256178
Reply with quote  #2

1481256178
Report to moderator
1481256178
Hero Member
*
Offline Offline

Posts: 1481256178

View Profile Personal Message (Offline)

Ignore
1481256178
Reply with quote  #2

1481256178
Report to moderator
1481256178
Hero Member
*
Offline Offline

Posts: 1481256178

View Profile Personal Message (Offline)

Ignore
1481256178
Reply with quote  #2

1481256178
Report to moderator
jostmey
Full Member
***
Offline Offline

Activity: 224



View Profile WWW
July 28, 2011, 10:48:33 PM
 #2

Why?

They are a URL shorten-er. The URL request is not encrypted over HTTPs if my memory serves me correctly. So it would not bring any added security, and it would just slow down their website.

Their are many reasons why to not use HTTPs, or to at least not use HTTPs on every page.
  • Sluggish website.
  • Scary looking security popups in IE because some material in the page is not HTTPs protected.

Search Bitcoin
Discover the bitcoin economy
Chick
Member
**
Offline Offline

Activity: 70


View Profile
July 28, 2011, 11:39:46 PM
 #3

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.

From someone who doesn't understand shit about how the web works. Could you please tell me why https would provide even a tiny shit of protection? The only thing I can see coming out of this is increased bandwidth usage and slower pages.

"Oh ho ho, you guys need https because it protects public Bitcoin addresses from being intercepted!"

jimbobway
Legendary
*
Offline Offline

Activity: 1380



View Profile
July 29, 2011, 04:25:11 AM
 #4

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

That being said we've always planned on adding it, we were just waiting to see if btc.to would get some real traction with users.  At this point we feel it has and will be adding HTTPS as well as HSTS soon so no matter how you access it you'll always be protected using HTTPS.  We'll also start publishing our entire DB shortly so that people can verify for themselves we aren't manipulating the shortened addresses.

Thank you very much for your response.

░░░░░░░░░██████░░░░░░░░░░░░▄▄▄
░░███░░██████░░░░░▄▄▄▄▄░░██
░░███░░█████████████
░░░░░░░░██████▀▀██████████
░░░░░░░░██████░░░░░██████████
░░░░░░▄▄▄▄▄▄░░░▄▄▄░░░░███████
░░░░░██████░░░███░░░░███████
░░░░░██████░░░███
░░░░░███████▄▄▄▄▄████████
░░░░░████████████████████
░░▄▄▄▄▄░░█████░░░░█████████
█████░░█████░░░░█████████
█████░░░░░░░░░░░░█████████
█████░░░░░░░░░░░░░█████████

START GETTING PAID FOR YOUR ATTENTION!
███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
JUSTICE IN THE WORLD OF ONLINE ADVERTISING!

BUY MASS COIN 】【 ICO PROSPECTUS
VISIT OUR WEBSITE
TWITTER 】【 FACEBOOK 】【 TELEGRAM

theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
July 29, 2011, 05:47:11 AM
 #5

I don't think it needs to be the default, though it should be supported if it isn't already.

The URL request is not encrypted over HTTPs if my memory serves me correctly.

Wrong.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
July 29, 2011, 06:18:44 AM
 #6

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.
^^ Exactly

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2506


View Profile
July 29, 2011, 06:53:14 AM
 #7

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

I performed a simple test on http://blockexplorer.com/q/getblockcount . The HTTP version took 0.24 seconds, while the HTTPS version took 1.00 second. (This is due mostly to the handshake: additional requests would take almost the same time.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
wumpus
Hero Member
*****
Offline Offline

Activity: 798

No Maps for These Territories


View Profile
July 29, 2011, 08:01:45 AM
 #8

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.
That's only for the first access. After that, the session can be cached. Also, there has been a lot of work (by Google, for example) in removing the extra roundtrip which is in newer browsers and webservers. See how fast gmail.com is *with* HTTPS?

It really is a non-issue these days. Just use HTTPS. If it's noticably slower you're using old broken software (either browser or webserver).

And even with a slight delay, the added security is worth it.


Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!