SSL is not strictly required, it just adds an additional level of security. If you take a look at a packet trace of you authenticating to a non-SSL wallet, the pass phrase is not sent over the wire. Instead, after you enter your passphrase, the browser requests the publickey for your account (The account ID is generated from the passphrase). Presumably then, the private key (also generated from the passphrase) is used to validate the public key and grant access.
So, even without SSL the passphrase cannot be harvested, SSL just adds an additional layer by making the entire conversation encrypted.
SSL
is required for real security. SSL provides both encryption and authentication. Without SSL, it is possible to perform a man-in-the-middle attack.
For example: an attacker sitting in the middle of your non-SSL connection can replace the javascript on the webpage with malicious javascript that harvests your password.
I'm glad Burst City added SSL to their wallet, but it really should have been there all along. To be honest, in this day and age, every website should have SSL,
especially a website that is dealing directly with sending and receiving a crypto-currency.
1. SSL is as good as the certificate is. There are different levels. Some, as this one, are only good that you know the connection is secure.
It misses contacts, background checks, ...
Basically this certificate says: the connection is correct!
2. The next step is what the server does with your information.
... I don't want to spell out what could happen, if the passphrase leaks to the owner/employee/hacker of that site.
With all anonymity, ... we know not even who is xxx of that site.
I strongly recommend NOT to use such site for MONEY sensitive issues! For me it is merrily a "proof of concept", but not to use!
Elmit, Crowetic is a known, trusted, member of the burst community. I trust the services he provides totally. If you offered a web wallet I wouldn't trust it even if you offered 10x the encryption level. Reputation and history is everything, and you fail on both.
H.
Wow... in Crowetic's defense... he has been completely transparent if nothing else.
He has been a part of Burst when only like 5 or 6 of us were chatting in the beginning.
Elmit... if it's the same Elmit I know of from burstforum... you couldn't give me anything he has to offer if it was free and you added something to it.
Headache, Crowtec is a Burst community member as you and me. I am glad you trust him.
He stated several times that xxx had a problem, apologized for it, ... The group did not pay out for the asset, change the asset at their will, without any way to verify their calculations. ... that all did not establish trust to him either.
I don't think he is transparent, he might be your boss, but not transparent to the public. I made the proof of concept a while back. Yes it is working, but I will not offer such service. It is not a question of the encryption level, when he cannot program by himself and rely on others, who we do not know, .. who are like Headache anonymous. REAL MAN do not hide behind anonymous, REAL MAN stand to it. REAL MAN do not post unverified matters in public, knowing they do just harm but give no chance to reply.
wmikrut, I have replied with many good things at the burstforum, till I found myself kicked out by the slammers. If you need something from me, talk to me. I am always helping. Actually I cannot catch your meaning what you got for free and added something.
Well, as a Sr member I should apologize... I guess there are always two sides to every story... and I admit, my information feed it a little one sided.
While I am in the business of IT, I do not see cheap certs as a bad thing... certs can be difficult to deploy unless you have a good working knowledge of how to deploy them.
Even as of late I helped a client install a proper bundle chain into a web server that was not setup correctly.
Then you need to make sure the SSL site has no references to non-secure links, and the parade goes on and on.
Do I trust crowetic implicitly, of course not... I don't implicitly trust people I even see every day.
However, he has never given me a reason not to trust him with day to day operations of the Asset and his pool.
I don't even trust to mine to a single wallet in the event of a breech.
I mine to one wallet and transfer those funds off to other wallets... same as I do with everything I mine.
is that pool still active?