SSLFail.com == SSL FAIL?

Posted by Tyler on January 27, 2009
Site Related

We just received a link to our own site. It would appear that someone was looking and discovered that we don’t have a SSL Enabled site. This is very true, but we’re not a large company with tons of visitors (in fact we’re still at less than 1000 unique visitors) and we’re not asking you for your passwords or allowing you to do online banking (however, feel free to email me your online banking information :) ).

We could setup a self-signed certificate to allow for encryption, but then you’d have to walk through those annoying “Add An Exception” screens for this site.

The reality of it is that not everyone needs SSL, although I’m sure in saying that even some of my fellow SSLFail.com bloggers will disagree with me.

That being said, if anyone feels we require a SSL cert, let me know… I doubt I’ll shell out the money for one, but maybe a SSL vendor will come along and read this and offer us one free of charge :) .

Tags:

5 Comments to SSLFail.com == SSL FAIL?

Marcin
January 27, 2009

Oh no! What on earth could we do? Wait, I have an idea!

How about we SSH to the server, and then write posts using SQL INSERT statements. Yah!

Michael Dickey
January 28, 2009

You MUST have SSL or else someone can inject!!

(No, I’m with you, I think it is an arguable thing…unless you want to support encrypting everything on the web, which I wouldn’t mind, but I’m sure pretty much every government would mind.)

I’ve already sniffed Marcin’s password to the site…nicely enough, he uses it for other things too!

Patrick
February 9, 2009

https://www.register.com/titan/promo/ssl_essential_1.rcmx

$12.67 per year for three years.

Michael Coates
February 26, 2009

Agree, SSL is not needed for viewers of this site. I don’t provide you any sensitive data, nor do you have any sensitive data of mine. The worse case is a MitM injects false content.

Yes, a MitM could inject a malicious script, but they could do that for any other page I browse to just as easily.

-Michael

Tyler
February 27, 2009

Michael,

I agree… the assumption I made on people wanting SSL or complaining about the lack of SSL was that they wanted to bypass some basic content filter and were worried about the content of the site.

In that case, the encryption is needed but not the trust, hence the self-signed certificate.

Tyler.

Leave a comment

WP_Big_City