Secured websites such as PayPal or online banking websites uses SSL encryption to ensure secure transactions between web servers and browsers. The difference between a normal and an encrypted webpage is the additional S after HTTP which becomes HTTPS. Current version of web browsers has made a change where by when you visit a normal unencrypted webpage, it no longer shows the HTTP. Only when you visit a SSL encrypted page, the web browser will display the HTTPS together with either the lock icon (Internet Explorer and Google Chrome), or Site Identity Button (Firefox) or Security Badge (Opera).
It doesn’t mean that entering your login information on a SSL encrypted page is 100% safe because there is a technique called WEBMITM (web man-in-the-middle) where the attacker is able to steal your sensitive information. Basically the attack will only work if the attacker manage to connect to the same network as you either through wireless or LAN. So make sure you’ve set your wireless router to use WPA2 encryption with a non-dictionary word as password and use a VPN when you have to connect to public Wi-Fi.
Implementing SSL encryption on certain webpages is not as easy as it looks because it involves quite a few steps. First I need to purchase a standard SSL certificate and so far the cheapest I found is $12.99 per year from Godaddy by using a discount coupon. Normally the Standard SSL certificate in Godaddy cost $64.95 per year but using this code sslqgasia7 will give you a huge discounted price. After purchasing, I need to log in to my server to generate a Certificate Signing Request (CSR) and submit it to Godaddy. Godaddy will then issue a digital SSL certificate where I will download it and install it on my server.
I wouldn’t want to use HTTPS on the whole site because it is slower, consume more bandwidth and puts more load on the server. So the best option is to only use HTTPS on certain important pages such as the registration and phone verification page. This is easily done with a custom vBulletin plugin that hooks a couple of location.
The biggest problem that I went through was the mixed-content of HTTP and HTTPS on a secured page. Although that shouldn’t cause any problems but it triggers a warning message “Internet Explorer blocked this website from displaying content with security certificate error” without a pad lock icon. Opening the secure page with mixed content in Chrome shows a red crossed out HTTPS. Instead of giving people confidence with the SSL encryption, the errors may end up scaring the visitors away.
A crossed out HTTPS in Google Chrome. Can be confusing if the page is still secure.
I used Firebug to track down all the images, javascripts and CSS files that are still loaded from HTTP on the HTTPS page and update the links to a more obscure relative URL syntax on the vBulletin template and StyleVars. It really did took me a while to find Ned Batchelder’s working solution… There are a couple of related articles published by HttpWatch which is very useful in fixing the mixed-content pages (1, 2, 3)
Phone verification page is secured with 2048 bit RSA/SHA encryption
Forum registration page is also secured and encrypted
I hope this update will provide everyone a more peace of mind when registering a new account in forum and performing a one-time phone verification. X-Ray will finally be released soon and am looking into code signing to guarantee to users that they are, in fact, running the code they believe they are running, and that the code was written by the individual or organization that the certificate was issued to. It is a good way to verify that the code being run has not been altered or corrupted, but the code signing process is pretty long and also expensive.
No mention of BEAST?