flat assembler
Message board for the users of flat assembler.

Index > Heap > how many of you access board using https://

Goto page 1, 2  Next

are you https:// to access this board?
yes, add me into counter
0%
 0%  [ 0 ]
no, not me.
86%
 86%  [ 20 ]
i just knew i could use https://
13%
 13%  [ 3 ]
Total Votes : 23

Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
https://board.flatassembler.net/

time to use this, more secure. Cool
Post 23 Nov 2009, 19:31
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
More secure from what? ARP spoofing only works on LANs. If you are not confident with your ISP, a http proxy will give you more security without spending a lot of bandwidth as https.
Post 23 Nov 2009, 19:51
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
yo ass0, any idea of how many % bandwidth increase between http and https ? idk.
Post 23 Nov 2009, 20:01
View user's profile Send private message Reply with quote
windwakr



Joined: 30 Jun 2004
Posts: 827
Location: Michigan, USA
windwakr
It tells me the certificate belongs to a different website. Question

(Pictures attached below)


Description:
Filesize: 28.66 KB
Viewed: 7954 Time(s)

cert.PNG


Description:
Filesize: 17.23 KB
Viewed: 7954 Time(s)

bad.PNG



_________________
----> * <---- My star, won HERE
Post 23 Nov 2009, 20:02
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
since this board is hosted under powweb. and notice the *.powweb.com
i guess it is fine. but please correct me, i guess only.
Post 23 Nov 2009, 20:08
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
http://en.wikipedia.org/wiki/Transport_Layer_Security#How_it_works

But there is no info about bandwidth there, in any case the most pitfall occurs in the handshake of the protocol.

You can measure it accurately with http://www.nirsoft.net/utils/socket_sniffer.html
Post 23 Nov 2009, 20:23
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
BTW i would host this site for free =D with an ajax-based forum for the sake!!
Image

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 23 Nov 2009, 20:26
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
For an e-commerce/banking website, I'd understand using cryptography. Maybe! But for a forum?

Come on. Who on Earth has enough technical skills, hardware and financial resources to intercept all your communications looking for very specific strings of plain text?
Other than a super blackhat hacker who spies on high-profile targets for big bucks (1/100,000,000 of the population?), your local security services and Echelon, that is.

And who would profit from getting your password to begin with? Spammers? Your account would be blocked or nuked by the admin within hours (or minutes).

I think Internet users stand more chance getting their passwords stolen through keylogger-backdoor-trojans.


Last edited by ManOfSteel on 23 Nov 2009, 22:12; edited 1 time in total
Post 23 Nov 2009, 22:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
The HTTPS access is not clean. Some links will throw you back into non-SSL mode.

As for bandwidth, there is no significant extra bandwidth for SSL connections. Only during the initial connection there is a small overhead to negotiate the session key.
Post 23 Nov 2009, 22:12
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
Just put 100kb per connection of additional bandwidth, you can easily waste 100mb-500mb per day of you hosting bandwidth and that's in server side, in the other side the impact in dial-up users is high.

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 23 Nov 2009, 22:33
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Quote:

Come on. Who on Earth has enough technical skills, hardware and financial resources to intercept all your communications looking for very specific strings of plain text?

The Chinese government with its Great Firewall of course. Well, I'm not so sure if the Great Firewall itself is capable of that but sure thing is that they actually warn some people not to do any protest anymore.
Post 23 Nov 2009, 23:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
ass0 wrote:
Just put 100kb per connection of additional bandwidth, you can easily waste 100mb-500mb per day of you hosting bandwidth and that's in server side, in the other side the impact in dial-up users is high.
Yes, but fortunately the overhead is considerably less then 100kB.
Post 23 Nov 2009, 23:07
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
What exquisite model of capitalism has China: 0 syndicates, low salaries, more than 8 hours of work... Yeah babe!
Quote:
Yes, but fortunately the overhead is considerably less then 100kB.

Try yourself with socketSniffer, you will see that besides the handshake there is a small amount of more bytes for every sent/received packages.

And by default browsers don't cache SSL/TLS so you need to do the handshake everytime (more than once a day).

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 23 Nov 2009, 23:14
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
ass0 wrote:
Try yourself with socketSniffer, you will see that besides the handshake there is a small amount of more bytes for every sent/received packages.
Are you suggesting that "small" = "100kB"?

If you put a figure to "small", say X, and put that into your initial figure of 500MB, and do the division what do you get?

500MB / X = how many packages?


Last edited by revolution on 24 Nov 2009, 00:21; edited 1 time in total
Post 23 Nov 2009, 23:21
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8870
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
i was thinking bout using it during log in process only.
other part, using normal http.

Quote:

Come on. Who on Earth has enough technical skills, hardware and financial resources to intercept all your communications looking for very specific strings of plain text?
Other than a super blackhat hacker who spies on high-profile targets for big bucks (1/100,000,000 of the population?), your local security services and Echelon, that is.


nowadays, lot of cafe house, eating outlets offer free wifi usage for their customer, and i use them quite frequent when i relaxing outside.
using http means, expose my password naked when by passing their wifi router to internet.

shouldn't i use https when log in, after obtained the session id or cookie, i switch back to http?
Post 23 Nov 2009, 23:30
View user's profile Send private message Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
Handshake + the difference of every package that sends/receives the client browser == 100kb(more or less).

Now 1024-5120 clients aka users/guests connecting the same day to the server == 100Mb-500Mb of server's bandwidth

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 24 Nov 2009, 07:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17250
Location: In your JS exploiting you and your system
revolution
ass0 wrote:
Handshake + the difference of every package that sends/receives the client browser == 100kb(more or less).

Now 1024-5120 clients aka users/guests connecting the same day to the server == 100Mb-500Mb of server's bandwidth
Perhaps you are best to consider the percentage difference. A server with such a high usage traffic like you mention above would be using total bandwidth that is very high.

BTW: How do you arrive at 100kB? Can you please show your internal calculations for that figure.
Post 24 Nov 2009, 07:47
View user's profile Send private message Visit poster's website Reply with quote
ass0



Joined: 31 Dec 2008
Posts: 521
Location: ( . Y . )
ass0
First time (if your certificate is 'homemade' in other words if you didn't pay to pirates like verisign) ~ 22kb

Handshake+opera sitecheck ~ 42kb
Difference of package size, average ~ 8bytes

Then if you keep visiting in a day (without leaving the site, because if you leave you need to do a new handshake), let's say 80 small pages of 24kb, as every page also contains css, js, gif elements (let's say 32 tiny elements), you will be sending/receiving 64 packages per page (mostly puny headers).

(64*8)*80 == 40960bytes == 40kb

42+40 == 82kb. Regardless of the 'homemade certificate', of course.

_________________
Image
Nombre: Aquiles Castro.
Location2: about:robots
Post 24 Nov 2009, 11:14
View user's profile Send private message Reply with quote
tom tobias



Joined: 09 Sep 2003
Posts: 1320
Location: usa
tom tobias
ManOfSteel wrote:
Come on. Who on Earth has enough technical skills, hardware and financial resources to intercept all your communications looking for very specific strings of plain text?
umm, other than the FBI, dept. of Homeland Security, CIA, and FCC, no one in particular, though, last I heard, State Department was getting antsy about not being in the loop, so, they may have started up their own investigatory arm. Of course, I didn't mention the DOD, for obvious reasons-->their interception capability is classified.

Smile
Post 24 Nov 2009, 17:10
View user's profile Send private message Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I think the FBI is more likely to bust the entire forum than just my account, for instance. Razz

_________________
Previously known as The_Grey_Beast
Post 24 Nov 2009, 20:16
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.