thinking about the importance of https

Discussion in 'other security issues & news' started by sh4dow, Feb 9, 2012.

Thread Status:
Not open for further replies.
  1. sh4dow

    sh4dow Registered Member

    Joined:
    Mar 3, 2006
    Posts:
    15
    please correct me if i am wrong with any of the following...

    as far as i am aware, https really only protects from anybody between user and server intercepting unencrypted data. so if you have malware on your computer that logs and sends data you before it gets encrypted by https, you are still screwed.
    hence the virtual keyboards for internet cafes and such.

    now...
    i was thinking about this from the point of view whether it would even theoretically make sense to get an https certificate for my website. because... unless the network people use at home has been compromised, chances seem to be really low that somewhere between user and ISP or ISP and my server, there could be some private person intercepting the data.

    and since would i operate a website that people are unlikely to access from work and i don't see it as my responsibility to protect people who don't take care of the security of their network at home, i wonder why i should even bother (plus, it's also not like people would store sensitive information on my site that privacy would be such a big deal... don't get me wrong - i love it and i would want it everywhere but... in this case, i would have to pay for it and since it's a small private project, it just seems like it wouldn't be worth it).

    i also started to think about this because i thought about how to provide secure access to an "admin frontend" for the website. and when i thought about whether it would be possible without https, i realized that unless my own network is compromised, https wouldn't give me more security. just privacy regarding what my ISP can see. so the only thing that could realistically happen would be that some malware slips through my scanners.
    and to battle that - i am actually wondering which would be more secure... logging in with a virtual keyboard or with a randomly generated hash that i send to my email address and remove immediately after each login (and the login times out after 15 minutes or so)?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If you were to access the admin area you would use SSH, which is encrypted anyways.

    HTTPS isn't that important for non-critical sites. There's no reason for you to purchase a certificate if your users aren't sending sensitive information.
     
  3. sh4dow

    sh4dow Registered Member

    Joined:
    Mar 3, 2006
    Posts:
    15
    i'm talking about an admin area as a web interface, that i create. not to perform maintenance tasks on the server but for content maintenance on my website.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Oh I see. Well even still I don't see it as an issue.
     
  5. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Unless you are transmitting sensitive data, there is no need for https. For the admin interface, I still wouldn't worry about it unless you plan on logging in from coffee shop wifi or any other public wifi.

    Another benefit of https besides protecting traffic from being read en route is that it protects traffic from being altered en route. For example, a rogue piece of javascript could be inserted into a page that would send a copy of any credit card details that get entered.
     
Loading...
Thread Status:
Not open for further replies.