HTTPS/SSL certs

[Adam Cruea]

I don't suppose there's any chance that SMC will be implementing HTTPS site-wide at any point?

Just curious since there are orgs that will cut SSL certs for free, or at most a very nominal fee.

[Mike Henderson]

This is just am "I'm curious" question. What advantage do you see to SMC going https? I know no one would be able to read the data in the IP packets but it seems to me that the things discussed here are not things that many people would be interested in. And if they were, they could just read the forum since people don't have to register to read.

Or maybe I don't have a full understanding of https.

Mike

[Keith Outten]

I'm not sure what we might gain from a secure server at this point in time. We don't transfer any financial information and all of our email information is protected even from registered Members. Any other information here is open for viewing by everyone as Mike mentioned. I'm not an expert in this area, possibly you can share with us why you think we should consider the change.

[Adam Cruea]

SSL certs aren't necessarily for encryption; it's for confirmation that no one has hijacked SMC. They're a trust tool, not an encryption tool. That's just a side effect of the keying process.

They're a verification system to ensure the site that says it's SMC is, in fact, SMC.

For example, DNS poisoning can redirect users to a site that's not SMC but says it's SMC.

There are plenty of sites that use SSL but yet don't deal with financial information. Google. Pandora. Reddit. Slashdot. The Linux distro I use (Gentoo) has SSL for their forums.

For anyone else that isn't tech savvy, SSL is created by signing a request for a certificate with a private key on the server requesting the key. A trusted authority then signs the request with it's private key and issues a certificate. The requesting server presents this certificate to users saying "This site is verified by this authority to really be [site]."

The encryption merely comes from when connection is negotiated between the user and server as a side effect of the exchange of keys used to sign the certificates. The reason SSL should *not* be used as an encryption method was shown in the Heartbleed vulnerability. It compromised the encryption so that someone could see the information in transit from the server to client. However, it never compromised the trust that SSL creates.

[Steve Wurster]

To Adam's point, the major browsers are already flagging non-HTTPS sites as insecure. If you click the Password box at the top of SMC in Chrome, a "Not Secure" box shows up to the left of the URL in the address bar. In Firefox, clicking in either the User Name or Password box will bring up a tool tip-style message pointing out that the connection is not secure. IE hasn't yet jumped on this bandwagon, but they probably will as some point. I believe Google is taking or going to start taking HTTP vs. HTTPS into account for its site rankings as well.

While HTTPS is not fully secure, it is certainly more secure than HTTP. Passwords can easily be read when using HTTP, so that's a good reason to move to HTTPS right there.

[Steve Demuth]

I can't even log on from the browser I have on my laptop, as it won't transmit a login password (or anything marked as such in the HTML form) over a non-SSL connection.

I really can't believe that in 2017 any website that thinks its worth knowing its users and having a login/password system would do so over plain-text http.