12

Switched to SSL encryption for all pages (Read 228 times)

    Hi all,

    Technologies are constantly evolving.  As our lives become intertwined with the internet, security becomes ever more important.  I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted.

     

    With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default.  The switch is more demanding on the servers but we can never be too safe in this day and age.  The change is non-trivial despite the simple concept.  If you see odd behaviors, please let me know.  Thanks!

     

    eric Smile

    JML


      Thanks Eric.

       2014 goals: run a bunch....race some.....repeat...


      I'm back!

        Thanks. Does this affect the API?

          Thanks. Does this affect the API?

           

          No.  The API has always been using https.  There will be some upcoming breaking API changes though.

            Maybe you could make it plain HTTP by default, but have an option in one's personal settings to encrypt all traffic, Probably a lot of people, myself included, wouldn't mind not having everything encrypted as I don't put anything on here I wouldn't want others to see.

             

            Wouldn't that be a good tradeoff between offering full SSL encryption for anyone who wants it, without all the extra server load of having everyone's traffic encrypted?

             

            Just a thought.


            Interval Junkie --Nobby

              A welcomed change.  Thanks, Eric Smile

              2014 Goals:  sub-3 Marathon 

              Current Status 08/28: Slowly working back up from a pelvic stress fracture.  4mil distance PR w00t!

                 

                Wouldn't that be a good tradeoff between offering full SSL encryption for anyone who wants it, without all the extra server load of having everyone's traffic encrypted?

                 

                 

                I think not doing SSL by default to preserve CPU was a solid reason 10 years ago, but on modern equipment you are talking probably a maximum of 5% impact and I would be willing to bet it is less.

                jimmyb


                  Thanks, Eric, now our secret behind-the-scenes message clubs can go on with our mocking, feeling more secure that there is a slim probability that those we speak of will not find out. And for this fatherly act of SSL-ing us, you have been removed from the list of those who have been, are being, or shall be mocked, forever.

                   

                  Hopefully, everyone will throw in an extra buck for you come subscription re-up time, as I know the cost of SSL sure ain't pocket-change.

                   

                  Thanks, Founding Father and greaser of this little universe. 

                  Log    PRs

                    Thank you Eric!

                    Well at least someone here is making relevance to the subject.

                    StellarsJJayS


                      Hi all,

                      Technologies are constantly evolving.  As our lives become intertwined with the internet, security becomes ever more important.  I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted.

                       

                      With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default.  The switch is more demanding on the servers but we can never be too safe in this day and age.  The change is non-trivial despite the simple concept.  If you see odd behaviors, please let me know.  Thanks!

                       

                      eric Smile

                       

                      Thank you Eric.  Cyber-privacy is a huge concern these days and ages.  I take it quite seriously and appreciate your efforts in this regard.

                      There is only one acceptable pace...all out suicide...

                      ...and today is a good day to die!

                                 --  Pre


                      Not dead. Yet.

                        It seems like overkill to me.  I guess it doesn't hurt, but those certificates can't be cheap.

                         

                        Do these users understand that it doesn't make their data any safer once it's uploaded?  That it only keeps the data safe while it is in transit?  For a criminal to get the data, they would need to be listening in on the line of traffic between the user and RA and extract the un-encrypted data from the stream.  Why would anybody go to the effort of doing that for workout data?  What would they get out of it?  The worst I can think is that they might be able to figure out where the user lives based on the map data.  And if a criminal wanted to find out where a user lived, there are probably easier ways than this.

                         

                        Maybe I'm missing something.  Either way, I just wanted to give my 2 cents.  I appreciate this and all of the other work you do for us, ericSmile

                        How can we know our limits if we don't test them?

                        StellarsJJayS


                          There is only one acceptable pace...all out suicide...

                          ...and today is a good day to die!

                                     --  Pre


                          delicate flower

                            Just curious, is this why while surfing at work this morning, no images display (lots of red x's) and I am getting interweb diagnostic errors?  That never happened before.  Not complaining...just asking.  I'm on IE 8 and web security runs pretty tight 'round here.

                            proud sherpa

                               I'm on IE 8 and web security runs pretty tight 'round here.

                               

                              Isn't there something of a contradiction here? Smile

                                Just curious, is this why while surfing at work this morning, no images display (lots of red x's) and I am getting interweb diagnostic errors?  That never happened before.  Not complaining...just asking.  I'm on IE 8 and web security runs pretty tight 'round here.

                                 

                                My only guess is that your company's policy allows only secured elements on a secured page to be displayed.  All images hosted on RA should be pointed to https.  Images posted by users tend to be http only.  You can verify this by clicking on a red x and check its url.  If you copy and paste the url into your browser and the image comes up, then it would back up my hypothesis.  If not, post the url here and I'll take a look.

                                 

                                eric Smile

                                12