If I screen scrape a form from a site secured with SSL, and put that form on my site (which is also secured by SSL), do I still get the benefits of SSL?
Is the scrape process dynamic? Meaning, does it happen each time a user hits the wrapping page on your site, or are you doing it once and just using the result from that day forward?
In either case, there are two SSL sessions in play here. The first is between the computer performing the scrape - probably your web server - and the source server. The second, if applicable, will be between the browser and your server. You will be responsible for the SSL in this case.
Whether or not you "get the benefits of ssl" depends on which part of this process you're referring to.
Related
I'm building a serverless web application. My HTML, CSS and JavaScript are in a public storage location which my domain example.com points towards.
When my users navigate to my domain using their browser, their browser will GET these files from that location and then there is no further communication with example.com. The JavaScript application runs in the browser and communicates with a separate backend via HTTPS (in my case AWS, but could be e.g. Azure, Kinvey, BlueMix or others).
It therefore seems to be that there is no reason to encrypt the communication between my users' web browsers and xyz.com i.e. I don't need to provide https://example.com, and my doing so would provide no security benefit.
Am I correct?
The reason I ask is that I found at least two static hosting services which offer SSL support:
https://www.netlify.com/features#security
https://surge.sh/help/using-https-by-default
I am aware of the reasons for wanting HTTPS (described in the second link above and also at https://levels.io/default-to-https/ ...) but none of this seems to apply to my situation.
I believe this is a serious question because more applications will be built in this manner (the folks at http://serverlessconf.io/ certainly think so), and as long as the channel to the actual backend is secured there is no reason to secure the channel to what is essentially a read-only hard disk.
If you don't secure communication with example.com then a man in the middle attacker (eg a rogue wifi hotspot) could modify the html and JavaScript loaded by users.
One way to use this would be to change the JavaScript so that subsequent API requests are sent to attacker controller servers instead of yours, compromising any credentials or information transferred.
I am bulding a marketplace which store users session ect.... I just added a SSL encryption for login and for the payment (I am using stripe as a payment gateway). I have seen sites like facebook forcing HTTPS on every page so that got me wondering, should I force HTTPS on every page or just on login and payment?
side note, apparently SSL encrypted pages load faster
Yes. But not just because it loads faster, or even ranks better on Google than non-HTTPS sites, but mainly because of security. Having HTTPS makes it harder to do a man-in-the-middle attack, whereby an attack intercepts the connection between your website and the user to either steal or modify data. The trouble with HTTP is that it is possible for someone to do exactly that, and then modify the links to point to a fake login page to steal data (this souunds paranoid but it happens).
While many pages use a script to check if the user is attempting to access HTTP and then redirect them to a HTTPS version, this might still be an issue for websites as attackers can still 'strip' out any HTTPS links (known as the SSLStrip attack) to use only HTTP and then view the data, take a look at enabling HSTS (HTTP Strict Transport Security) for enhanced security to avoid that. This is done by forcing browsers to only interact with the website on HTTPS connections and avoid any sort of downgrade attack.
SSL is very important to protecting users private data on your website.
The more I see SSL used on websites; I have noticed that it is not used all the time like Facebook, Ebay, Google (Youtube) etc...
So my question is: Why pay for a SSL and have the ability to encrypt data while it travels over insecure networks (Internet mainly) then not use it on the whole site?.
Why only encrypt parts of sites?
Why not just force SSL on page load?
It does occur to me that it must be a good reason as it does not slow done the page by having one.
I was thinking of getting a SSL for my website so people can contact me without other people being able to see what they are sending (in case sensitive information really). So should I encrypt the whole site or just that one page.
Thankyou for any help / thoughts on this matter.
Have a good day :)
Why pay for a SSL and have the ability to encrypt data while it
travels over insecure networks (Internet mainly) then not use it on
the whole site?
In theory a webpage over SSL is slower, so some people avoided putting the whole site under SSL.
Should I encrypt the whole site or just that one page.
The whole site would be easier, and I doubt your site would have any problems with performance based on SSL.
I really appreciate your thinking to make your whole website run over encrypted channel with SSL security. Many websites avoid to use ssl on all webpages, but in my personal opinion; if your website contains account log-in and sign-up on every page then it should be protected.
Whether you are running website over HTTP or HTTPS, it rarely affects website loading time & affect your website performances. In current time attacker always try to attack on website anyhow. Secure transmission of data reduces the risk of hacking and allows user to trust upon your website.
I apologize, I know this is a very short question but Google doesn't seem to help (I guess I'm not searching for the correct phrase or set of keywords).
If I have a site not protected by SSL and it makes an api call to an https site, is that information secure or do I need to have SSL as well?
I want to make sure I keep my users' data secure.
Only data in the API call (request) needs to be protected. Data returned by the API (response) to my (non-SSL) site isn't meaningful or sensitive.
Thanks in advance.
The call to the SSL site will be protected, but if it's multihop (client to non SSL to SSL site) and the data on first hop is plain text.
However as #VictorRonin says, security is a much bigger concern than just SSL.
The call is protected. Your website talking to another website (protected by SLL) will send and get information inside of protected channel.
However, it's hard to say whether your users data is secure. Security requires a lot more than just usage of SSL.
I also got the same problems.
I'm using 16 bits micro connect to net by Wifi's AT command .
after connected in transparent mode. normally I can send some simple text (HTTP ) to request content from every web page.(if those webpages not need SSL).
this makes programing fun and easy.
But these few years. life got stuck almost webpage use SSL. mean programming need more complex step to reach content.
but the most serious things is that the CA (cert auth) cannot use forever it has expired time !!!
This mean hardware device have to modified CA data frequently . so it's not practical for small iot firm .
However I found a way even it's not the best by using thingspeak.com (ThingHTTP)
with ThingHTTP you can request without SSL to any website which need SSL
I hope in the future there are more iot cloud or even some webpage turn to use old method (HTTP) in case of that data no need secure.
In my opinion user can encode/decode the data by themself instead of secure everything in webpage.
Thnks
I'm running a dating site and not using SSL at the moment.
I've noticed major sites like facebook and twitter do not use https for login but just use plain old http, is there really any advantage to https-ing my site or it is only for cc transactions or so ?
thanks in advance.
Actually, facebook does use https for its login:
<form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form">
as does twitter:
<form method="post" id="signin" action="https://twitter.com/sessions">
You'll notice they don't use https for the page that displays the signin form. That's because it isn't necessary.
However, it's a good idea to use ssl the login itself if you can, if only because so many users employ the same password for all sites.
One solution, which I'd like to see more sites employ, is using OpenID/OAuth for login instead of requiring a username/password.
SSL encrypts the traffic between the browser and the server. So virtaully anything you want to be secure needs to be ssl'ed. Google search is even doing it so poeople can't have their search terms intercepted.
Its just the case of what YOU want secure, and if not having certain parts of your site secure will keep wanted customers away. I would think a dating site has a lot of personal demographics information that some people might want secure... just my 2 cents.
SSL is used only when transmitting sensitive data between browser and server. It's fine for major sites like facebook and twitter to use http (as long as the data is not sensitive). Most website use SSL for their login page. SSL also used by payment gateway to safely transfer payment information through the wire.
And by the way, http is not "plain old" and https is not new trend either :)
If your users are providing any sensitive data, ssl prevents it from being intercepted by a third party. If you don't use SSL, you should assume that some third party can see everything that every one of your users does on your website. If you are comfortable with them seeing this information, then keep it plain http, but if you don't like that thought, go https.
Another benefit of ssl is that it allows the use of Strict Transport Security, which not only forces https on all site activity, but also prevents a man in the middle from spoofing your site to a user and making them think they are accessing your site. Details here: http://en.wikipedia.org/wiki/Strict_Transport_Security
I work at a major ISP and am infatuated with one of your online members. By sniffing your packets, I can find out when and where she's meeting another member, rewrite the packet to change the location so the other guy doesn't show up, and then make my move.
You decide whether that's acceptable to your users.
Https is useful to protect the credential (user/password) , but it increases the network load and requires more CPU resource (encryption). Thus, it is common to use only for authentication.
Https ,with server certificate protects again phising.
Banks uses end to end application