SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Enthusiast Jenny McDermott's Avatar
    Join Date
    Jan 2002
    Location
    St. Louis Park MN
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Does making http:// site into https:// protect against NSA surveillance?

    Hi, I have a small, not-frequently-visited personal Web site which is basically just my online portfolio and resume. I've been reading the articles on resetthenet.org regarding using SSL certificates for one's sites in order to make it harder for the NSA to spy on me and my (infrequent) visitors. Specifically, on http://resetthenet.tumblr.com/post/8...https-hsts-pfs, it says: "HTTPS, HSTS, and PFS are powerful tools that make mass spying much more difficult."

    I don't know whether to believe this or not. Having spent my career strictly as a front-end developer (or as we used to call us when I started in 1996, Web designers), I have only the most rudimentary knowledge of Web security. I know one puts a SSL layer on a shopping cart or log in section of a site, but it was always the server administrator who did that. Would $70 (GoDaddy's basic rate) worth of SSL keep my site free of NSA surveillance?​
    "Nobody ever went broke by underestimating
    the taste of the American public." -- H.L. Mencken

  2. #2
    SitePoint Addict bronze trophy mawburn's Avatar
    Join Date
    Apr 2014
    Posts
    205
    Mentioned
    6 Post(s)
    Tagged
    0 Thread(s)
    lol what?

    If you're that worried about it, I don't think you shouldn't put it online. This question is completely impossible to answer because you would basically need to talk to someone working for the NSA to know exactly what their capabilities are... and I don't think that's going to happen.

    But since you're curious anyway, you should at least read about the Heartbleed bug a couple months ago. http://en.wikipedia.org/wiki/Heartbleed#Impact

  3. #3
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,177
    Mentioned
    454 Post(s)
    Tagged
    8 Thread(s)
    I don't mean to be cheeky here, but honestly, I suspect the NSA has a lot more pressing concerns than who is visiting a resume/portfolio website. Unless you design bombs or something.

  4. #4
    SitePoint Wizard bronze trophy bluedreamer's Avatar
    Join Date
    Jul 2005
    Location
    Middle England
    Posts
    3,361
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    ^ I agree, unless you're doing something you shouldn't be doing, like making bombs or planning a world takeover, then it's not really anything to worry about, especially for a personal site.

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,157
    Mentioned
    190 Post(s)
    Tagged
    2 Thread(s)
    To quote
    Quote Originally Posted by Kinks
    Got no privacy, got no liberty
    Cos the twentieth century people
    Took it all away from me.
    We have been fore-warned

  6. #6
    padawan silver trophybronze trophy markbrown4's Avatar
    Join Date
    Jul 2006
    Location
    Victoria, Australia
    Posts
    4,108
    Mentioned
    28 Post(s)
    Tagged
    2 Thread(s)
    No one's really attempted to explain what SSL is so I'll give it a go.

    SSL encrypts the data being sent from the browser so that the data being sent across the internet can't be intercepted and read in plain text.
    For a normal static site like you're describing the only data being sent from the browser is typical GET requests to HTML, CSS, Javascript and images. There's no sensitive data being transferred across the internet so SSL won't be giving you anything extra.
    It's crucial when people are entering private information like credit card numbers or passwords, if you're not requesting that type of data from users of your site you don't need to worry.

  7. #7
    SitePoint Enthusiast scout1idf's Avatar
    Join Date
    Nov 2009
    Location
    Ohio
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The original question was.....
    Does making http:// site into https:// protect against NSA surveillance?
    I seriously doubt that any type of encryption would stop the NSA from spying on you if they really wanted to.

    If just switching to HTTPS:// or using SSL had any effect, they would be against the law, world wide, not just in the USA.

    I hope this answers your question, without making you paranoid

  8. #8
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Hypothetically, SSL will not keep the NSA from telling what websites you visit. They would be able to tell the domain that you are sending/receiving traffic from, but not the actual data protected by SSL.

    A VPN would likely protect you from prying eyes, but it costs money and you run the risk of the VPN service spying on you or opening its doors to a government agency.

    The Tor network is also an option, but speed tends to be a factor, and the entry and exit nodes can be monitored.

    The only sure way to be sure you aren't being monitored on the Internet is to not use the internet.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  9. #9
    SitePoint Enthusiast Jenny McDermott's Avatar
    Join Date
    Jan 2002
    Location
    St. Louis Park MN
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    So I guess I won't bother with SSL for my site

    Quote Originally Posted by markbrown4 View Post
    No one's really attempted to explain what SSL is so I'll give it a go.

    SSL encrypts the data being sent from the browser so that the data being sent across the internet can't be intercepted and read in plain text.
    For a normal static site like you're describing the only data being sent from the browser is typical GET requests to HTML, CSS, Javascript and images. There's no sensitive data being transferred across the internet so SSL won't be giving you anything extra.
    It's crucial when people are entering private information like credit card numbers or passwords, if you're not requesting that type of data from users of your site you don't need to worry.
    Thank you for your clear explanation, and thanks to you and everyone for their responses. The replies mostly confirm my gut feeling that using SSL on my site would make no difference; as scout1idf said, if it did make a difference, it would probably be illegal. I just want so badly to do something about surveillance, but I guess we're all just living in a fishbowl these days.
    "Nobody ever went broke by underestimating
    the taste of the American public." -- H.L. Mencken

  10. #10
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    The short answer is really if google can access your site than the NSA or anyone can. The only exception would be things behind a firewall using authentication. Though the NSA can probably access that stuff someway to these days…
    The only code I hate more than my own is everyone else's.

  11. #11
    SitePoint Member rosemarry12's Avatar
    Join Date
    Jun 2014
    Location
    California
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes NSA can access your site, Changing from http to https doesn't protect from NSA surveillance. NSA keep eye on every site so by changing it to secure doesn't mean that NSA doesn't keep eye on it.

  12. #12
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Jenny McDermott View Post
    Thank you for your clear explanation, and thanks to you and everyone for their responses. The replies mostly confirm my gut feeling that using SSL on my site would make no difference; as scout1idf said, if it did make a difference, it would probably be illegal. I just want so badly to do something about surveillance, but I guess we're all just living in a fishbowl these days.
    Quote Originally Posted by scout1idf View Post
    I seriously doubt that any type of encryption would stop the NSA from spying on you if they really wanted to.

    If just switching to HTTPS:// or using SSL had any effect, they would be against the law, world wide, not just in the USA.
    There is nothing about using SSL that is illegal. What scout1idf said was a little unclear. He was postulating that if SSL were truly secure, the NSA would claim that it would be illegal to use. That's a straw man argument.

    There are a few instances where government agencies have petitioned software developers of secure software to allow backdoors for monitoring. The security of these pieces of software did not make them illegal to use.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  13. #13
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    I'm not sure what you're trying to protect but the ONLY way to keep data private is to lock it in a Faraday cage and run on batteries (or co-located generator). If there is any access to/from the outside, the NSA is the least of your concerns (but only because they won't harm your website/data as there are some pretty smart hackers out there with tools that will amaze you).

    Keep your data off public servers (and locked in a vault if you're that paranoid). As explained above, SSL will encrypt a connection/transfer but I'm sure that a 256 bit cypher is easily broken by the resources of the NSA. Besides, it would be easier for the NSA to hack into your server and read all the unencrypted data behind any SSL protection.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  14. #14
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,812
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    There are in fact situations where it is illegal to NOT use SSL.

    One of the requirements for any web page collecting credit card details is that it MUST use SSL so as to reduce the possibility of the details being stolen via a man in the middle attack.

    If SSL were to be made illegal then it would become impossible to buy anything online.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  15. #15
    SitePoint Wizard webcosmo's Avatar
    Join Date
    Oct 2007
    Location
    Boston, MA
    Posts
    1,480
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hello Front-end-bomb-developer To stop NSA spying your site, it`s impossible, i think if they wanted to do that, they can access your server directly. I suggest you develop any illegal activities face2face


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •