Raise the Hammer
By Ryan McGreal
Published February 06, 2012
Raise the Hammer now has its own SSL Certificate for Secure HTTP connections to the site, using the free StartSSL certification service by StartCom.
This means you should no longer get scary security warnings from your browser if you use HTTPS instead of plain HTTP to browse RTH.
When you view RTH pages using HTTPS instead of HTTP, all content transmitted over the internet between your computer and the web server is first encrypted instead of being sent in plain text. This makes it much more difficult for a malicious third party to intercept the data and read it as it travels across the network.
This change is part of our ongoing efforts to make your use of RTH more secure.
Last March, RTH introduced the ability to access the site using the HTTPS protocol. An HTTPS connection (rather than an HTTP connection) means any data transmitted between your computer and the web server (like your username and password) is encrypted so that other people cannot see your login and hijack your user account.
The drawback to that earlier method is that it used the SSL certificate of our hosting provider, Webfaction.
As a result, if you used https to connect to the site, some browsers would issue a security warning that the domain name on the certificate - webfaction.com - did not match the domain name of this site - raisethehammer.org.
Using an SSL Certificate that is specifically dedicated to raisethehammer.org alleviates this issue.
The free StartSSL service does not include an Extended Validation Certificate, so your browser's location bar will not turn green when you connect via HTTPS. However, pages should load without any certificate warnings, and you will enjoy the security benefits of an encrypted connection to the site.
If you are logging into the site with a registered user account, and especially if you are logging in over a shared public wifi connection, you should seriously consider using HTTPS instead of HTTP. Otherwise, your data is travelling between your computer and the RTH web server in plain text and anyone can intercept and read it - including your username and password.
If you access RTH using HTTPS, all the content - web pages, style sheets, javascript files, images, etc. - on the RTH web server will be served in HTTPS. However, some pages also include content from third party sites - like embedded images and media files - that are served in plain HTTP. On those pages, your browser will probably warn you that you have requested an encrypted page that contains both encrypted and unencrypted files.
Because all communications between your browser and the web server are encrypted on an HTTPS connection, page loading will be a bit slower than it is on an unencrypted HTTP connection. This is a small trade-off in exchange for improved security.
Finally, the Electronic Frontier Foundation (EFF) has a Firefox plugin called HTTPS Everywhere, which automatically uses HTTPS to request pages from a website if it is available. For Firefox users, this is a great way to improve your browsing security without having to think about it.
By private guy (anonymous)
Posted February 06, 2012 at 12:48:33
By Ryan (registered) - website
Posted February 06, 2012 at 13:14:28
in reply to Comment 73743
maybe Ryan will post one (Hint)
The EFF has instructions on how to do it. Thanks for mentioning this!
By Undustrial (registered) - website
Posted February 06, 2012 at 20:23:15
By WRCU2 (registered)
Posted February 12, 2012 at 05:38:46
Ryan claims:
pages should load without any certificate warnings,
I thought IT might be clever as hot hell to have my old hammer bot use this new SSL although I wasn't too keen of which protocol: TLSv1, SSLv2 or SSLv3, but when I scripted for an auto encrypted socket this is all that was returned to me:
wrcu2:$ sh RC
--2012-02-12 04:43:46-- https://raisethehammer.org/comments/
Resolving raisethehammer.org... 174.133.21.86
Connecting to raisethehammer.org|174.133.21.86|:443... connected.
ERROR: cannot verify raisethehammer.org's certificate, issued by '/C=US/O=GeoTrust, Inc./CN=RapidSSL CA':
Unable to locally verify the issuer's authority.
ERROR: certificate common name '*.webfaction.com' doesn't match requested host name `raisethehammer.org'.
To connect to raisethehammer.org insecurely, use '--no-check-certificate'.
Unable to establish SSL connection.
grep: index.html: No such file or directory
Ryan also ensures:
you will enjoy the security benefits of an encrypted connection to the site.
Security benefits eh, what about privacy? Every single page at RTH contains a small piece of JavaScript from google-analytics.com and 75% of all websites on the Internet use the infamous ga.js code. Google can track users everywhere they go with this itty bitty script and as for the false sense of security, I can find no joy in any of IT.
Comment edited by WRCU2 on 2012-02-12 05:40:04