Worried about website security?

September 27, 2017

UPDATE: As of September 30, 2017, this website is secured by SSL encryption. A lock icon will appear your browser on login pages (and most other pages). Although SSL is not really necessary on this website, I understand that it provides peace of mind. That's why I went to the trouble to install SSL. For anyone who might be interested in such things, the blog entry below was originally written to explain why SSL is actually not necessary on this website.

Best Regards,
Aaron


[original post]

For some time now, Firefox browsers have been showing this message to anyone logging into to their account on this website. Chrome shows something similar. It looks scary. Is this something you should be worried about?

The short answer is: NO

With these warning messages, Google is trying to force every website to use HTTPS for all login pages. HTTPS is a special web service. It is not free (though developers at Firefox are trying to claim otherwise). It can cost hundreds per website. Of course, websites that handle credit cards and banking absolutely DO need to use HTTPS. But websites that do not handle any such sensitive information (such as this website) absolutely DO NOT need to use HTTPS. All transactions through this website are handled by PayPal, and PayPal DOES use HTTPS. Google is frightening and confusing people with these warnings for no reason.

Saying that every login page needs to use HTTPS is like saying that every crosswalk needs to be equipped with armed guards. It is up to individuals to exercise reasonably good judgement for the sake of their own security. If you are concerned about security, then don't reuse your banking password for sites like this one. What? Only an idiot would do that? Tell that to Google.

What about the security of the database which stores your user information on this website? First of all, there is no sensitive information in the database, unless you consider your name and your email address sensitive. Passwords cannot be stolen from the database because they aren't stored in the database. Only SHA encrypted hashes are stored. Databases on this website use prepared statements and are immune to SQL injection hacking.

All that said, I will at some point be implementing HTTPS on all my websites anyway, not because I need to, but because I would prefer to get rid of these annoying and unnecessary warnings from Google. Until the warnings disappear, you can safely ignore them, because you are smarter than Google thinks you are.

Regards,
Aaron

[ Showing 1 entry | Previous entry | Next entry | Show all entries ]