May I post your explanation of HTTPS on my tech tips website? John Rigdon www.drit.us/help
Thanks > On 10/21/2013 5:21 PM, Anand Chitipothu wrote: >> Hi, >> >> As part of the efforts to improve the privacy of users, >> openlibrary.org website is now only available via https. > > HTTP over SSL (aka "https") serves two purposes: it provides privacy by > encrypting the channel between the server and the client, and it > provides server authentication if (and only if) the server provides a > public key certificate signed by a trusted authority. > > Usually, the only entities with the capability to "sniff the wire" for > unencrypted traffic are governmental entities. Thus, https is > appropriate when 1. the traffic is sensitive and 2. the traffic is of > interest to an entity with enough resources to engage in wire sniffing. > Examples include users living in repressive regimes downloading banned > information, or large companies monitoring employee activity to detect > porn sites. > > OpenLibrary is not a library. The only information it furnishes is > library metadata. I'm having a hard time envisioning a scenario where > any of the traffic between a user and OpenLibrary could be sensitive > enough to draw the attention of any entity with the capability to do > wire sniffing. (Perhaps https would be appropriate for archive.org, but > that's a different issue). Why will https enhance user's privacy? > > When an SSL connection is established, the server presents a certificate > to the browser that not only contains the server's public key (for > setting up the encrypted channel) but also assertions about the server's > identity. If you trust the signing certificate authority (in this case, > GoDaddy.com) you can be assured that you have hit the site you think you > have (assuming you actually look at the public key certificate returned > by the web site). Server authentication guards against Trojan links > where rogue agents present a site that /looks/ like OpenLibrary, but > which isn't, and which may then collect sensitive information such as > user names, passwords, and contact information. Signed certificates also > minimize the likelihood of "man in the middle" attacks. > > Does OpenLibrary solicit any personally identifying information from > users? Have there been any reported instances of counterfeit web sites > designed to fool users into thinking they have reached openlibrary.org? > > There may be security issues surrounding the OpenLibrary web site, > although on the whole the information solicited and provided seems > relatively benign. Whatever issues /do/ exist are unlikely to be > addressed by using HTTP over SSL. The https protocol is widely used to > provide the appearance of security without providing the reality of > security. Best practice suggests identifying the security threats (e.g. > providing user information in database dumps) and then selecting the > technology to directly ameliorate those threats. Using https for > OpenLibrary is likely to be most harmless, but also mostly useless. > _______________________________________________ > Ol-tech mailing list > [email protected] > http://mail.archive.org/cgi-bin/mailman/listinfo/ol-tech > Archives: http://www.mail-archive.com/[email protected]/ > To unsubscribe from this mailing list, send email to > [email protected] > _______________________________________________ Ol-tech mailing list [email protected] http://mail.archive.org/cgi-bin/mailman/listinfo/ol-tech Archives: http://www.mail-archive.com/[email protected]/ To unsubscribe from this mailing list, send email to [email protected]
