https:/ vs http:/ - does it really benefit web browsing privacy ?

fenix-store
H

HarryN

Flashlight Enthusiast
Joined
Jan 22, 2004
Messages
3,977
Location
Pleasanton (Bay Area), CA, USA
It is time for me to refresh my small business web site, and I have come across the "movement" to make all web sites use https:/ vs http:/. (secure vs open access web sites). I am trying to determine if this really benefits the privacy of those who visit my site, or actually helps to undermine it.

BTW, my web site is really just a static business brochure with a few pages, nothing special. I don't pay google or anyone else for advertising and it has nothing to do with flashlights.

The claimed motivation for this move to https appears to be:
- https:/ is a "secure" connection, and that is always better – not sure why though?
- If "all" connections, including ones that do not matter, then when data is actually important to be secured, it is harder to filter this out. This sort of makes sense to me.
- The meta data about the visitor is more strongly hidden, making it much harder for third party marketing / spying on your browsing companies like google and double-click to monitor your cookie trail of visits.
- It automatically authenticates both the web site and the end user, at least to some level.

I am having some doubts about if this is a good idea or not:
- It seems like google would not promote an idea that goes against their fundamental business model of tracking your every move, but rather would promote ideas that makes this better for them, perhaps at the expense of others.
- If the connection actually authenticates the person reading the web site, this seems like it becomes "less" private for them, not more private.
- In some ways, it reminds me of how ICAAN (the web control organization) shifted everyone so that web site owners had to reveal very private data to the whois, and then "pay" to keep it private. Forcing web sites to use https adds another one of these "unnecessary fees" to the cost of operating a web site, so adding to google's profitability at no clear benefit to the users.

If anyone has any opinions on this area, I would really like to hear them, technical, business, or political.

Thanks
 
gadget_lover

gadget_lover

Flashaholic
Joined
Oct 7, 2003
Messages
7,148
Location
Near Silicon Valley (too near)
There are several good reasons for you to go with HTTPS.

First, getting an SSL cert (certificate that proves that your web site is your web site) does not benefit Google. Not one bit. They may sell certs, but certs are available from a lot of folks.

Second, A cert authenticates YOUR website to the user. You have no idea who the user is. The idea is that when they type https://www.harryn.com they will get a warning if someone has hijacked your DNS and redirected them to www.badguys.com.

Third. Google will have exactly the same visibility as always. They can access a website using HTTPS just like any other user. Cookies are exchanged between your web server and the user's browser, even over a secure http link. It's the web servers themselves that do the tracking.

un-numbered.. :) A secure http connection is hard to eavesdrop on. This means that your ISP's computer geeks will be able to see that you connected to www.trumpisgod.com but they can't tell if you clicked "No he's not" or "Yes he is!".

Google does not have a means to monitor your internet activity at the TCP-IP level. It monitors your activty by gathering information from web sites that gladly agree to send it to google in exchange for a few cents a click. It gets information when you agree to use their products. It does not need to break into networks. :)

Secure HTTP works fairly well. Even the NSA has problems decoding secure http traffic. That's why they have a process to hack websites so they can install malware that will track bad guys.

People tend to use the same username and password on multiple sites, so if they (bad guys) can hack a router and snag the passwords used to log into your site, they might be able to use that same information at a bank's web site.

Secure http prevents ISPs actions like inserting ads into your web page without your knowledge. It also keeps them (Verizon) from inserting tracking information at the network level.



The downside of https; You have to renew the cert every few years. The Certificate Authorities (CAs) that sell certs charge way too much for doing very little. Secure SSL traffic is encrypted from one computer to another but not effective against keystroke loggers. People get blase' about broken certs, and bypass the warnings. It can be a hassle to install a cert in some cases.

Dan
 
Last edited:
badtziscool

badtziscool

Flashlight Enthusiast
CPF Supporter
Joined
Oct 13, 2006
Messages
1,722
- https:/ is a "secure" connection, and that is always better – not sure why though?
If you make all web connections secure, then you don't have to be discriminant on what should be secure and what should not. Just make everything secure and not worry about potential data not being secure.


- The meta data about the visitor is more strongly hidden, making it much harder for third party marketing / spying on your browsing companies like google and double-click to monitor your cookie trail of visits.
This is not necessarily the case. All https does is ensure that the transport of data from visitor to vendor is secure. Most tracking cookies and browsing companies are looking at your surfing habits from your computer or from the hosting website, at which point, the data is no longer secure by https.

- It automatically authenticates both the web site and the end user, at least to some level.
In order to https to work, the website must purchase an SSL certificate. These certificates are provided by well known and trusted authorities, who (should) vet those that are purchasing these certificates. From the visitor side, their web browser has a list of these well known authorities. When the visitor goes to a https website, the browser will see the SSL certificate, and it will check it against the authority the certificate claims to be from. If it all checks out, then the web browser will give the visitor a confirmation that the site is a good site and it is who they say they are.

I am having some doubts about if this is a good idea or not:
- It seems like google would not promote an idea that goes against their fundamental business model of tracking your every move, but rather would promote ideas that makes this better for them, perhaps at the expense of others.
Again, they are still able to track since https only secures the transmission of data.

- If the connection actually authenticates the person reading the web site, this seems like it becomes "less" private for them, not more private.
The end user is not authenticated in any way. The process of establishing an https connection does not, in any way, identify you or exposes your personal data. Take the scenario of you approaching a police station. They do not know who you are, but you are able to identify them as policemen because of their location, uniform, badge number, etc. Establishing an https connection works in a very similar manner.

- In some ways, it reminds me of how ICAAN (the web control organization) shifted everyone so that web site owners had to reveal very private data to the whois, and then "pay" to keep it private. Forcing web sites to use https adds another one of these "unnecessary fees" to the cost of operating a web site, so adding to google's profitability at no clear benefit to the users.
I agree with this somewhat, but in order to be able to make sure www.candlepowerforums.com is who they say they are, it's necessary for them to identify themselves. Of course, the "pay" to keep it private is a pure business decision. However, no one really forces any website to use https, but if a vendor wants to keep their customers, they need to make sure that the data that's being transmitted to them is not readable to anyone else that may be intercepting the data in between.
 
H

HarryN

Flashlight Enthusiast
Joined
Jan 22, 2004
Messages
3,977
Location
Pleasanton (Bay Area), CA, USA
Thanks for the replies - I am looking more deeply at the implementation.

It appears that there are at least two "levels" of HTTPS certificates sold:
- A lower level one mostly for privacy
- A higher level one focused on web selling which cost 10X as much.

The lower cost one appears to be in the "reasonable" price range.

I appreciate all of the inputs.
 
badtziscool

badtziscool

Flashlight Enthusiast
CPF Supporter
Joined
Oct 13, 2006
Messages
1,722
I purchase SSL certs for my agency all the time. I can tell you, there is no difference, functionally, between all of the different levels of certificates you can purchase. However, they do provide some added features that modern web browsers can take advantage of, which can make your intended audience feel more secure. However, some of the biggest internet entities (google, amazon, etc.) don't even use these features, so I would say they are unnecessary.


HarryN said:
Thanks for the replies - I am looking more deeply at the implementation.

It appears that there are at least two "levels" of HTTPS certificates sold:
- A lower level one mostly for privacy
- A higher level one focused on web selling which cost 10X as much.

The lower cost one appears to be in the "reasonable" price range.

I appreciate all of the inputs.
Click to expand...
 
You must log in or register to reply here.

Similar threads

letschat7
She gets it.
Replies
9
Views
288
raggie33
raggie33
S
IT guys on CPF
Replies
1
Views
138
letschat7
letschat7
raggie33
do you really need a pure sine wave inveter?
Replies
9
Views
405
PhotonWrangler
PhotonWrangler
M
I had to have it
Replies
19
Views
621
letschat7
letschat7
Chauncey Gardiner
Mike Tyson vs Jake Paul
2
Replies
23
Views
574
Lights and Guns
L

Latest posts

Top