btc.to needs to use https

[jimbobway]

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.

[1713531145]

1713531145

[1713531145]

1713531145

[1713531145]

1713531145

[1713531145]

1713531145

[1713531145]

1713531145

[1713531145]

1713531145

[jostmey]

Why?

They are a URL shorten-er. The URL request is not encrypted over HTTPs if my memory serves me correctly. So it would not bring any added security, and it would just slow down their website.

Their are many reasons why to not use HTTPs, or to at least not use HTTPs on every page.

• Sluggish website.
• Scary looking security popups in IE because some material in the page is not HTTPs protected.

[Chick]

If you guys are out there you guys really need to use https instead of just http for your calls.  It is not safe without it.

From someone who doesn't understand shit about how the web works. Could you please tell me why https would provide even a tiny shit of protection? The only thing I can see coming out of this is increased bandwidth usage and slower pages.

"Oh ho ho, you guys need https because it protects public Bitcoin addresses from being intercepted!"

[jimbobway]

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

That being said we've always planned on adding it, we were just waiting to see if btc.to would get some real traction with users.  At this point we feel it has and will be adding HTTPS as well as HSTS soon so no matter how you access it you'll always be protected using HTTPS.  We'll also start publishing our entire DB shortly so that people can verify for themselves we aren't manipulating the shortened addresses.

Thank you very much for your response.

[theymos]

I don't think it needs to be the default, though it should be supported if it isn't already.

The URL request is not encrypted over HTTPs if my memory serves me correctly.

Wrong.

[wumpus]

He's right.  The reason btc.to needs to use HTTPS is to prevent Man In The Middle attacks.  Currently. someone could change the return value of http://btc.to/1 from the real address to their own address.

^^ Exactly

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

[theymos]

Also "SSL is slow" is a myth on modern hardware. Please stop propagating it for the sake of internet security.

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

I performed a simple test on http://blockexplorer.com/q/getblockcount . The HTTP version took 0.24 seconds, while the HTTPS version took 1.00 second. (This is due mostly to the handshake: additional requests would take almost the same time.)

[wumpus]

The crypto is not exceptionally slow, but the additional packets are. A full TLS handshake requires at least four additional packets. Also, some browsers will delay the connection until they've performed an OCSP check on the certificate, which can alone take up to a half second. All of this can add up to seconds of additional delay.

That's only for the first access. After that, the session can be cached. Also, there has been a lot of work (by Google, for example) in removing the extra roundtrip which is in newer browsers and webservers. See how fast gmail.com is *with* HTTPS?

It really is a non-issue these days. Just use HTTPS. If it's noticably slower you're using old broken software (either browser or webserver).

And even with a slight delay, the added security is worth it.