Author

Topic: Blockchain.info should switch to SSL by default (Read 3191 times)

member
Activity: 74
Merit: 10
What about a way to see just the basic info without loading the full page and images?
Like 5 last incoming/outgoing or balance?

Edit: like the way https://blockchain.info/q/getblockcount shows only text,
show only:   
last   {in/out, amount, to/from account, #of confirms, time/date, balance}
2 ago {in/out, amount, to/from account, #of confirms, time/date, balance}
3 ago {in/out, amount, to/from account, #of confirms, time/date, balance}
legendary
Activity: 1358
Merit: 1003
Ron Gross
HTTPS increases resource usage significantly. This is what my experience has taught me.

OK then.
The right course of action would be to measure the specific data on blockchain.info and decide.
In any case, I installed HTTP everywhere myself.
legendary
Activity: 3640
Merit: 1571
HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.

Compared to a dynamic site. Specifically a site running a copy of the glype proxy script. Very dynamic - every single request including those for images and other linked content goes through a PHP file. Only caching is APC PHP bytecode caching. No database usage, which is different from blockchain.info, but still you get the idea.

HTTPS increases resource usage significantly. This is what my experience has taught me.
legendary
Activity: 1358
Merit: 1003
Ron Gross
HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.

Yeah, but compared to what?
When the baseline is a static content site, sure.
When the baseline is a complicated site like blockchain.info with multiple different processes - I'm not sure the relative added cost would be that significant.
legendary
Activity: 3640
Merit: 1571
But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.

HTTPS does take up much more resources in my experience. I used to run a network of sites and when I enabled SSL access load and memory usage shot up a lot.
legendary
Activity: 966
Merit: 1004
CryptoTalk.Org - Get Paid for every Post!
Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.




Indeed!~


But SgtSpike is right! Server load and costs will increase and  SSL on every page will slow it all down for sure!
legendary
Activity: 1358
Merit: 1003
Ron Gross
But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.

Only piuk can say if this is a meaningful cost or a negligible one.
HTTPS is usually handled at the load balancer / front end servers, and AFAIK doesn't really take up a meaningful amount of resources.
legendary
Activity: 1400
Merit: 1005
Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.
Which is why I agree with you that, if https were to be implemented for search queries, it should start at the homepage.

HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.
But there's this too.  It certainly increases real costs to implement HTTPS on every page, not to mention that pages will generally load slower for users.
legendary
Activity: 3640
Merit: 1571
HTTPS traffic takes up more server resources than HTTP traffic. It takes up more CPU and RAM. Given that blockchain.info is a free service I see no reason why the webmaster should spring for more servers just to please some people.

If you are paranoid about this you should use the HTTPS version. Bookmark it and always visit the site via the bookmark.
hero member
Activity: 784
Merit: 501
Install HTTPS Everywhere in Firefox or Chrome and you need not worry about accidentily going to an insecure page:

https://www.eff.org/https-everywhere

But yes it would be better if it was the default.
hero member
Activity: 644
Merit: 500
I take back what I said, and am instead pleasantly surprised.  I had always been under the impression that GET requests were inherently insecure, even over HTTPS. Google'd a bit just now and my understanding is now corrected.
legendary
Activity: 1358
Merit: 1003
Ron Gross
Redirect upon form submission is useless - the form is still originally submitted over HTTP, so the information goes over clear text. Afterwards you get redirected, but your security has already been compromised.
full member
Activity: 294
Merit: 100
So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.

You are correct.
legendary
Activity: 1400
Merit: 1005
So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
Correct me if I am wrong, but URLs are encrypted in SSL as well.
hero member
Activity: 644
Merit: 500
So, if i go to blockchain.info and search for a transaction, upon hitting post, it redirects me to the SSL version of their site. This is where it redirected me, as a matter of a fact:

https://blockchain.info/block-index/393463/0000000000000101a6ec423efffd45e070f3aa628d4ab9fd688abb9eb26555f8

See anything wrong with it? Any attacker or man-in-the-middle will know exactly what you were searching for simply by looking at the URL you arrive at. Just as if you search for a transaction that hit this wallet "11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao", you arrive at this SSL-enabled page "https://blockchain.info/address/11CtTrDnLu2DtbQJPYDUVGf5ZeQ7RB1ao"

The page is only encrypted to prevent a man in the middle from replacing information on each result page, but it does zero in the name of user privacy. Adding a redirect won't change anything.
sr. member
Activity: 392
Merit: 250
Why not? But not compulsory.
That would prevent me from sleeping ...
legendary
Activity: 1358
Merit: 1003
Ron Gross
Currently blockchain.info supports SSL, but doesn't require it. If you go to either http://blockchain.info/ or https://blockchain.info/ and search for a bitcoin address, it works.

I propose that the homepage will always redirect from http://blockchain.info/ to https://blockchain.info/
After this redirect, any search a user does on this site will be on SSL by default.

The purpose is to make it a bit harder on men-in-the-middle (e.g. ISPs) to capture any traffic that helps them analyze which users searched which addresses.
Jump to: