Bitcoin Forum
November 04, 2024, 06:21:01 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: btc.to needs to use https  (Read 1131 times)
jimbobway (OP)
Legendary
*
Offline Offline

Activity: 1304
Merit: 1015



View Profile
July 28, 2011, 03:59:01 PM
 #1

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.
jostmey
Full Member
***
Offline Offline

Activity: 224
Merit: 100



View Profile WWW
July 28, 2011, 10:48:33 PM
 #2

Why?

They are a URL shorten-er. The URL request is not encrypted over HTTPs if my memory serves me correctly. So it would not bring any added security, and it would just slow down their website.

Their are many reasons why to not use HTTPs, or to at least not use HTTPs on every page.
  • Sluggish website.
  • Scary looking security popups in IE because some material in the page is not HTTPs protected.

Search Bitcoin
Discover the bitcoin economy
Chick
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
July 28, 2011, 11:39:46 PM
 #3

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.

From someone who doesn't understand shit about how the web works. Could you please tell me why https would provide even a tiny shit of protection? The only thing I can see coming out of this is increased bandwidth usage and slower pages.

"Oh ho ho, you guys need https because it protects public Bitcoin addresses from being intercepted!"

jimbobway (OP)
Legendary
*
Offline Offline

Activity: 1304
Merit: 1015



View Profile
July 29, 2011, 04:25:11 AM
 #4

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

That being said we've always planned on adding it, we were just waiting to see if btc.to would get some real traction with users.  At this point we feel it has and will be adding HTTPS as well as HSTS soon so no matter how you access it you'll always be protected using HTTPS.  We'll also start publishing our entire DB shortly so that people can verify for themselves we aren't manipulating the shortened addresses.

Thank you very much for your response.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13368


View Profile
July 29, 2011, 05:47:11 AM
 #5

I don't think it needs to be the default, though it should be supported if it isn't already.

The URL request is not encrypted over HTTPs if my memory serves me correctly.

Wrong.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
July 29, 2011, 06:18:44 AM
 #6

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.
^^ Exactly

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13368


View Profile
July 29, 2011, 06:53:14 AM
 #7

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

I performed a simple test on http://blockexplorer.com/q/getblockcount . The HTTP version took 0.24 seconds, while the HTTPS version took 1.00 second. (This is due mostly to the handshake: additional requests would take almost the same time.)

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
wumpus
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1022

No Maps for These Territories


View Profile
July 29, 2011, 08:01:45 AM
 #8

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.
That's only for the first access. After that, the session can be cached. Also, there has been a lot of work (by Google, for example) in removing the extra roundtrip which is in newer browsers and webservers. See how fast gmail.com is *with* HTTPS?

It really is a non-issue these days. Just use HTTPS. If it's noticably slower you're using old broken software (either browser or webserver).

And even with a slight delay, the added security is worth it.


Bitcoin Core developer [PGP] Warning: For most, coin loss is a larger risk than coin theft. A disk can die any time. Regularly back up your wallet through FileBackup Wallet to an external storage or the (encrypted!) cloud. Use a separate offline wallet for storing larger amounts.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!