On 10/21/2013 5:21 PM, Anand Chitipothu wrote: > Hi, > > As part of the efforts to improve the privacy of users, > openlibrary.org website is now only available via https.
HTTP over SSL (aka "https") serves two purposes: it provides privacy by encrypting the channel between the server and the client, and it provides server authentication if (and only if) the server provides a public key certificate signed by a trusted authority. Usually, the only entities with the capability to "sniff the wire" for unencrypted traffic are governmental entities. Thus, https is appropriate when 1. the traffic is sensitive and 2. the traffic is of interest to an entity with enough resources to engage in wire sniffing. Examples include users living in repressive regimes downloading banned information, or large companies monitoring employee activity to detect porn sites. OpenLibrary is not a library. The only information it furnishes is library metadata. I'm having a hard time envisioning a scenario where any of the traffic between a user and OpenLibrary could be sensitive enough to draw the attention of any entity with the capability to do wire sniffing. (Perhaps https would be appropriate for archive.org, but that's a different issue). Why will https enhance user's privacy? When an SSL connection is established, the server presents a certificate to the browser that not only contains the server's public key (for setting up the encrypted channel) but also assertions about the server's identity. If you trust the signing certificate authority (in this case, GoDaddy.com) you can be assured that you have hit the site you think you have (assuming you actually look at the public key certificate returned by the web site). Server authentication guards against Trojan links where rogue agents present a site that /looks/ like OpenLibrary, but which isn't, and which may then collect sensitive information such as user names, passwords, and contact information. Signed certificates also minimize the likelihood of "man in the middle" attacks. Does OpenLibrary solicit any personally identifying information from users? Have there been any reported instances of counterfeit web sites designed to fool users into thinking they have reached openlibrary.org? There may be security issues surrounding the OpenLibrary web site, although on the whole the information solicited and provided seems relatively benign. Whatever issues /do/ exist are unlikely to be addressed by using HTTP over SSL. The https protocol is widely used to provide the appearance of security without providing the reality of security. Best practice suggests identifying the security threats (e.g. providing user information in database dumps) and then selecting the technology to directly ameliorate those threats. Using https for OpenLibrary is likely to be most harmless, but also mostly useless. _______________________________________________ Ol-tech mailing list [email protected] http://mail.archive.org/cgi-bin/mailman/listinfo/ol-tech Archives: http://www.mail-archive.com/[email protected]/ To unsubscribe from this mailing list, send email to [email protected]
