Wuben        
Results 1 to 7 of 7

Thread: https:/ vs http:/ - does it really benefit web browsing privacy ?

  1. #1
    Flashaholic*
    Join Date
    Jan 2004
    Location
    Pleasanton (Bay Area), CA, USA
    Posts
    3,845

    Default https:/ vs http:/ - does it really benefit web browsing privacy ?

    It is time for me to refresh my small business web site, and I have come across the “movement” to make all web sites use https:/ vs http:/. (secure vs open access web sites). I am trying to determine if this really benefits the privacy of those who visit my site, or actually helps to undermine it.

    BTW, my web site is really just a static business brochure with a few pages, nothing special. I don't pay google or anyone else for advertising and it has nothing to do with flashlights.

    The claimed motivation for this move to https appears to be:
    - https:/ is a “secure” connection, and that is always better – not sure why though?
    - If “all” connections, including ones that do not matter, then when data is actually important to be secured, it is harder to filter this out. This sort of makes sense to me.
    - The meta data about the visitor is more strongly hidden, making it much harder for third party marketing / spying on your browsing companies like google and double-click to monitor your cookie trail of visits.
    - It automatically authenticates both the web site and the end user, at least to some level.

    I am having some doubts about if this is a good idea or not:
    - It seems like google would not promote an idea that goes against their fundamental business model of tracking your every move, but rather would promote ideas that makes this better for them, perhaps at the expense of others.
    - If the connection actually authenticates the person reading the web site, this seems like it becomes “less” private for them, not more private.
    - In some ways, it reminds me of how ICAAN (the web control organization) shifted everyone so that web site owners had to reveal very private data to the whois, and then “pay” to keep it private. Forcing web sites to use https adds another one of these “unnecessary fees” to the cost of operating a web site, so adding to google's profitability at no clear benefit to the users.

    If anyone has any opinions on this area, I would really like to hear them, technical, business, or political.

    Thanks
    Powered by LibreOffice and Linux Mint

  2. #2
    *Flashaholic* gadget_lover's Avatar
    Join Date
    Oct 2003
    Location
    Near Silicon Valley (too near)
    Posts
    7,129

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    There are several good reasons for you to go with HTTPS.

    First, getting an SSL cert (certificate that proves that your web site is your web site) does not benefit Google. Not one bit. They may sell certs, but certs are available from a lot of folks.

    Second, A cert authenticates YOUR website to the user. You have no idea who the user is. The idea is that when they type https://www.harryn.com they will get a warning if someone has hijacked your DNS and redirected them to www.badguys.com.

    Third. Google will have exactly the same visibility as always. They can access a website using HTTPS just like any other user. Cookies are exchanged between your web server and the user's browser, even over a secure http link. It's the web servers themselves that do the tracking.

    un-numbered.. A secure http connection is hard to eavesdrop on. This means that your ISP's computer geeks will be able to see that you connected to www.trumpisgod.com but they can't tell if you clicked "No he's not" or "Yes he is!".

    Google does not have a means to monitor your internet activity at the TCP-IP level. It monitors your activty by gathering information from web sites that gladly agree to send it to google in exchange for a few cents a click. It gets information when you agree to use their products. It does not need to break into networks.

    Secure HTTP works fairly well. Even the NSA has problems decoding secure http traffic. That's why they have a process to hack websites so they can install malware that will track bad guys.

    People tend to use the same username and password on multiple sites, so if they (bad guys) can hack a router and snag the passwords used to log into your site, they might be able to use that same information at a bank's web site.

    Secure http prevents ISPs actions like inserting ads into your web page without your knowledge. It also keeps them (Verizon) from inserting tracking information at the network level.



    The downside of https; You have to renew the cert every few years. The Certificate Authorities (CAs) that sell certs charge way too much for doing very little. Secure SSL traffic is encrypted from one computer to another but not effective against keystroke loggers. People get blase' about broken certs, and bypass the warnings. It can be a hassle to install a cert in some cases.

    Dan
    Last edited by gadget_lover; 02-03-2016 at 11:03 PM. Reason: Finished an incomplete thought.
    ================================================== =
    I have got to plan my procrastination better!

  3. #3

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    +1 million
    John 3:16

  4. #4

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    - https:/ is a “secure” connection, and that is always better – not sure why though?
    If you make all web connections secure, then you don't have to be discriminant on what should be secure and what should not. Just make everything secure and not worry about potential data not being secure.


    - The meta data about the visitor is more strongly hidden, making it much harder for third party marketing / spying on your browsing companies like google and double-click to monitor your cookie trail of visits.
    This is not necessarily the case. All https does is ensure that the transport of data from visitor to vendor is secure. Most tracking cookies and browsing companies are looking at your surfing habits from your computer or from the hosting website, at which point, the data is no longer secure by https.

    - It automatically authenticates both the web site and the end user, at least to some level.
    In order to https to work, the website must purchase an SSL certificate. These certificates are provided by well known and trusted authorities, who (should) vet those that are purchasing these certificates. From the visitor side, their web browser has a list of these well known authorities. When the visitor goes to a https website, the browser will see the SSL certificate, and it will check it against the authority the certificate claims to be from. If it all checks out, then the web browser will give the visitor a confirmation that the site is a good site and it is who they say they are.

    I am having some doubts about if this is a good idea or not:
    - It seems like google would not promote an idea that goes against their fundamental business model of tracking your every move, but rather would promote ideas that makes this better for them, perhaps at the expense of others.

    Again, they are still able to track since https only secures the transmission of data.

    - If the connection actually authenticates the person reading the web site, this seems like it becomes “less” private for them, not more private.
    The end user is not authenticated in any way. The process of establishing an https connection does not, in any way, identify you or exposes your personal data. Take the scenario of you approaching a police station. They do not know who you are, but you are able to identify them as policemen because of their location, uniform, badge number, etc. Establishing an https connection works in a very similar manner.

    - In some ways, it reminds me of how ICAAN (the web control organization) shifted everyone so that web site owners had to reveal very private data to the whois, and then “pay” to keep it private. Forcing web sites to use https adds another one of these “unnecessary fees” to the cost of operating a web site, so adding to google's profitability at no clear benefit to the users.
    I agree with this somewhat, but in order to be able to make sure www.candlepowerforums.com is who they say they are, it's necessary for them to identify themselves. Of course, the "pay" to keep it private is a pure business decision. However, no one really forces any website to use https, but if a vendor wants to keep their customers, they need to make sure that the data that's being transmitted to them is not readable to anyone else that may be intercepting the data in between.
    Who needs to see the light at the end of the tunnel when you have friends on CPF?
    My flashlight videos: http://www.youtube.com/playlist?list...9TIYcGeuBXa5m0

  5. #5
    *Flashaholic* gadget_lover's Avatar
    Join Date
    Oct 2003
    Location
    Near Silicon Valley (too near)
    Posts
    7,129

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    Quote Originally Posted by bykfixer View Post
    +1 million
    Thanks! I thought it would take years to get 1 million "likes" .

    Dan
    ================================================== =
    I have got to plan my procrastination better!

  6. #6
    Flashaholic*
    Join Date
    Jan 2004
    Location
    Pleasanton (Bay Area), CA, USA
    Posts
    3,845

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    Thanks for the replies - I am looking more deeply at the implementation.

    It appears that there are at least two "levels" of HTTPS certificates sold:
    - A lower level one mostly for privacy
    - A higher level one focused on web selling which cost 10X as much.

    The lower cost one appears to be in the "reasonable" price range.

    I appreciate all of the inputs.

  7. #7

    Default Re: https:/ vs http:/ - does it really benefit web browsing privacy ?

    I purchase SSL certs for my agency all the time. I can tell you, there is no difference, functionally, between all of the different levels of certificates you can purchase. However, they do provide some added features that modern web browsers can take advantage of, which can make your intended audience feel more secure. However, some of the biggest internet entities (google, amazon, etc.) don't even use these features, so I would say they are unnecessary.


    Quote Originally Posted by HarryN View Post
    Thanks for the replies - I am looking more deeply at the implementation.

    It appears that there are at least two "levels" of HTTPS certificates sold:
    - A lower level one mostly for privacy
    - A higher level one focused on web selling which cost 10X as much.

    The lower cost one appears to be in the "reasonable" price range.

    I appreciate all of the inputs.
    Who needs to see the light at the end of the tunnel when you have friends on CPF?
    My flashlight videos: http://www.youtube.com/playlist?list...9TIYcGeuBXa5m0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •