12

Switched to SSL encryption for all pages (Read 230 times)

eric :)


    Hi all,

    Technologies are constantly evolving.  As our lives become intertwined with the internet, security becomes ever more important.  I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted.

     

    With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default.  The switch is more demanding on the servers but we can never be too safe in this day and age.  The change is non-trivial despite the simple concept.  If you see odd behaviors, please let me know.  Thanks!

     

    eric Smile

    JML


      Thanks Eric.

      Rebuilding my aerobic base....racing next year.....nothing to see here....move along now.

      bhearn


        Thanks. Does this affect the API?

        eric :)


          Thanks. Does this affect the API?

           

          No.  The API has always been using https.  There will be some upcoming breaking API changes though.

          Cyberic


            Maybe you could make it plain HTTP by default, but have an option in one's personal settings to encrypt all traffic, Probably a lot of people, myself included, wouldn't mind not having everything encrypted as I don't put anything on here I wouldn't want others to see.

             

            Wouldn't that be a good tradeoff between offering full SSL encryption for anyone who wants it, without all the extra server load of having everyone's traffic encrypted?

             

            Just a thought.

            stadjak


            Interval Junkie --Nobby

              A welcomed change.  Thanks, Eric Smile

              2021 Goals: 50mpw 'cause there's nothing else to do

                 

                Wouldn't that be a good tradeoff between offering full SSL encryption for anyone who wants it, without all the extra server load of having everyone's traffic encrypted?

                 

                 

                I think not doing SSL by default to preserve CPU was a solid reason 10 years ago, but on modern equipment you are talking probably a maximum of 5% impact and I would be willing to bet it is less.

                BeeRunB


                  Thanks, Eric, now our secret behind-the-scenes message clubs can go on with our mocking, feeling more secure that there is a slim probability that those we speak of will not find out. And for this fatherly act of SSL-ing us, you have been removed from the list of those who have been, are being, or shall be mocked, forever.

                   

                  Hopefully, everyone will throw in an extra buck for you come subscription re-up time, as I know the cost of SSL sure ain't pocket-change.

                   

                  Thanks, Founding Father and greaser of this little universe. 

                  LedLincoln


                  not bad for mile 25

                    Thank you Eric!

                    Hoban-Jay


                      Hi all,

                      Technologies are constantly evolving.  As our lives become intertwined with the internet, security becomes ever more important.  I received several emails recently from privacy focused users expressing their dismay that the pages displaying their private messages were not encrypted.

                       

                      With the latest changes that I deployed tonight, all traffic between your computer and RA are encrypted by default.  The switch is more demanding on the servers but we can never be too safe in this day and age.  The change is non-trivial despite the simple concept.  If you see odd behaviors, please let me know.  Thanks!

                       

                      eric Smile

                       

                      Thank you Eric.  Cyber-privacy is a huge concern these days and ages.  I take it quite seriously and appreciate your efforts in this regard.


                      Not dead. Yet.

                        It seems like overkill to me.  I guess it doesn't hurt, but those certificates can't be cheap.

                         

                        Do these users understand that it doesn't make their data any safer once it's uploaded?  That it only keeps the data safe while it is in transit?  For a criminal to get the data, they would need to be listening in on the line of traffic between the user and RA and extract the un-encrypted data from the stream.  Why would anybody go to the effort of doing that for workout data?  What would they get out of it?  The worst I can think is that they might be able to figure out where the user lives based on the map data.  And if a criminal wanted to find out where a user lived, there are probably easier ways than this.

                         

                        Maybe I'm missing something.  Either way, I just wanted to give my 2 cents.  I appreciate this and all of the other work you do for us, ericSmile

                        How can we know our limits if we don't test them?

                        Hoban-Jay



                          delicate flower

                            Just curious, is this why while surfing at work this morning, no images display (lots of red x's) and I am getting interweb diagnostic errors?  That never happened before.  Not complaining...just asking.  I'm on IE 8 and web security runs pretty tight 'round here.

                            <3

                               I'm on IE 8 and web security runs pretty tight 'round here.

                               

                              Isn't there something of a contradiction here? Smile

                              eric :)


                                Just curious, is this why while surfing at work this morning, no images display (lots of red x's) and I am getting interweb diagnostic errors?  That never happened before.  Not complaining...just asking.  I'm on IE 8 and web security runs pretty tight 'round here.

                                 

                                My only guess is that your company's policy allows only secured elements on a secured page to be displayed.  All images hosted on RA should be pointed to https.  Images posted by users tend to be http only.  You can verify this by clicking on a red x and check its url.  If you copy and paste the url into your browser and the image comes up, then it would back up my hypothesis.  If not, post the url here and I'll take a look.

                                 

                                eric Smile

                                12