Author Topic: Securing the AZSlow website with HTTPS  (Read 4212 times)

AndyMac

  • Guest
Securing the AZSlow website with HTTPS
« on: April 20, 2021, 10:57:17 AM »
Currently it seems that AZSlow.com is only using HTTP. Given the raised issue with security risks (and the need on browsers more and more to only use HTTPS) are you planning to setup HTTPS for this website?

Offline azslow3

  • Administrator
  • Hero Member
  • *****
  • Posts: 1679
Re: Securing the AZSlow website with HTTPS
« Reply #1 on: April 20, 2021, 01:21:10 PM »
Do you feel yourself "safer" now?  :D

I hope you understand that web certificates guard you against LOCAL "man in the middle" ONLY. I will try to explain as short as possible:
  • If someone at the place you connect to the Internet will try to fool your, Web certificate helps. That includes your local computer (till some extend, once your system is really compromised, nothing can protect your, not even "secure boot") and Wlan/Ethernet router (especially important for "open" WLAN access points)
  • In all other cases Web certificate has absolutely zero impact on security. Just 2 examples:
    • If web server is compromised, its certificate is also compromised
    • If someone upload/publish something fishy (when publishing/uploads are not moderated, like on this site), the certificate is not in the game

So, effectively web certificates fool people the web site is 'safe'. That is why I have not installed it before, and may be remove it later...
Note that "www.azslow.com" is way more safe then probably most of web sites your are visiting. With little effort you can get my real name, telephone and address and check that I am definitively real person. Try that with arbitrary "small company site" and you will be surprised, many of them are registered throw 3d world countries where you can't get any reasonable information about the owner. And almost with any company you will not get real human name with real human address, just some "postbox" address. 

Note that web certificates like installed on this site now are not checking who is behind the certificate at all, they are issued based on (arbitrary) e-mail address and the fact the person controls the web server at this particular moment.

-----

So, why "everyone" speaks about "raised issue with security risks"? Simple, that is "money for nothing". Most certificates cost money, while the issue has ZERO responsibility for any consequences. At most they check the human/organization is real and take way too much money for that.

-----

Please note that all I have written is valid for web certificates ONLY. Documents and software signing (especially after Apple/Microsoft started to check the software before signing) really make sense.

Unfortunately, if I start sign "AZ Controller" it will not be free. While there are some way to sign Open Source software cheap/free, doing so with arbitrary software is ridiculously expensive. It will cost me several times more per year then this website...