Java script, icons, html transitional, css and tables.

[Luigi Donatello Asero]

However, it now validates as html transitional.

As I said at the end of my previous post, removing the language attribute
would allow the element to validate under a Strict DTD. Don't go to
Transitional just to accomodate them (especially as it's not necessary).

[snip]

One possibility is not to set the icon. The other is to ask them if I may
eliminate the language attribute or use another script.

None of these comments have anything to do with me. I only discussed the
script. Make sure you direct your replies to the right people.

Ok. Fine.
I apologize.

[MW:]

The text, [current page host name], should be replaced by the domain,
and the protocol [...].

Do you mean https://www.scaiecat-spa-gigi.com should be written instead
[...]

Yes.

[Licensing terms]

Can you find something there
http://www.geotrusteurope.com/corporate/legal/pdfs/quickssl_premium_SA.pdf
?

There doesn't seem to be anything in that document, nor a similar one in
their legal section, that refers to the seal at all so there can't be any
terms attached to its inclusion. As far as I can see, the seal's only
purpose is to allow visitors easy (and simplified) access to the
certificate information.

Mike

Yes and in this case the question is whether it is worth to put the seal.
I am still wondering.

 

[Michael Winter]

On Fri, 31 Dec 2004 21:10:05 GMT, Luigi Donatello Asero

[snip]

One possibility is not to set the icon.

Yes, that is an option.

The other is to ask them if I may eliminate the language attribute

I don't see how they could force you to use a deprecated attribute in your
mark-up. The script would run without it.

or use another script.

As I've shown, a script (neither client- nor server-side) is necessary.
The mark-up that's inserted will always be the same for documents within
the same domain, under the same protocol.

[snip]

Mike

 

[Luigi Donatello Asero]

On a normal page, it [https] is useless.

Just to mention a few things:
1) it is important the the user can send data through the encryption so that
confidential data cannot be intercepted as easily

If the data being sent actually _is_ confidential, then sure.

Ok

2) it is also important that the user can identify who offers a product or a
service. A https protocoll says that the site
https://www.scaiecat-spa-gigi.com is really this and not some other.
This is important for all the pages.

If this is of such pressing importance, why is that so few sites that
live and breathe by the trust their customers have in them bother to use
https for the entire site? Example: my employer (you've heard of them)
is fanatical about securing customer data, and about security in
general. But for just looking around the site, doing searches, adding
items to a cart, etc., plain ol' http is used. It's important to secure
against risk, but it's also important to objectively identify where the
risk is.

Did you visit http://www.ebusinesslex.net ?
Did you ask yourself why e-commerce has not developed so much , yet?
How much is sold through the internet and how much is sold in traditional
shops?

How secure _is_ that database, by the way? Does it have any sort of
password protection? How secure is the password and how often is it
changed?


Are the credit card numbers highly encrypted *in* the database? No? Then
couldn't some enterprising young thief simple extract the plain-text
credit card number from the database and start charging? (Answer: yes.)
If you have to bring the credit card number up on your screen in
plain-text, what is to stop some enterprising young thief from
screen-scraping it? (Answer: precious little.)

So, you mean that the database should be encrypted. How?
Also by https?

It seems to me that if you're really concerned about security and
safe-guarding your customers' valuable data, it's issues like those that
you ought to be worrying about, not about someone somehow corrupting
your sales information pages. That is a miniscule threat. Extracting
plain-text credit card numbers from any sort of data store is a real and
present threat.

I tried to make an example to know how you would get paid by credit cards.
It is not sure at all that I want to offer this way of payment.
I am considering which advantages and disadvantages this method has.

Yes, you need an account with them. Also, be aware that credit card
companies charge their clients (that'd be you) a small surcharge:
usually several percent of the amount charged will go to the credit card
company and not to yourself.

Thank you.

 

[Luigi Donatello Asero]

I think this was discussed in a thread a few weeks ago. It really is
paranoid to worry about the security of the information used for general
browsing and conclude that you need to use HTTPS for every page. There
are for more likely targets for hackers when it comes to your website's
security, like your database, or even your server itself. No amount of
HTTPS will prevent this.

I do not have any server. I have an acccount at a webhost.
The webhost should be responsible for the security of the server.
Anyway, you may have your opinion and I am allowed to have mine.

A challenge: Try and find an established e-commerce site that uses HTTPS
for all its pages. Doing this might help convince you that the "HTTPS
everywhere" approach really is "paranoia".

That would not say much to me.
E-commerce has not been so successful, yet.

 

[Joel Shepherd]

Did you visit http://www.ebusinesslex.net ?
Briefly.

Did you ask yourself why e-commerce has not developed so much, yet?

No: it hasn't occurred to me that it's a matter of great concern at this
point.

First, e-commerce has been around for all of about ten years. In roughly
a decade it's developed from _nothing_ to supporting profitable,
multi-billion-dollar (sorry, I'm American) companies. There have been a
lot of mistakes made, and there's still a lot to learn, but for an
enterprise that's been around for only a few years, e-commerce is doing
pretty well.

How long did ordinary "brick-and-mortar" retail have to get to where it
is. Several thousand years. Yet, less than ten years after its
inception, Amazon peaked at over 30 orders/second this winter.
Relatively few brick-and-mortar businesses can approach that.

Security _is_ a problem facing e-commerce, but it is only one problem,
and it certainly hasn't proved crippling to those who have mastered it.

How much is sold through the internet and how much is sold in traditional
shops?

Who wants to pay shipping on cat litter and toilet paper?

Security concerns account for little of the discrepancy, though
_ignorance_ about security might account for more. I know many people
who won't order on line for fear of giving away their credit card
number. Yet they have no difficulty handing their credit card to a
waiter, who takes it out of their sight to process it. The online
transaction is protected by powerful encryption: the diner transaction
is completed unprotected.

That doesn't indicate a security problem with shopping online: it
indicates ignorance on the part of the shopper. If they can't understand
that their credit card transaction is secured online, how will they
perceive any benefit if every page is secured, regardless of the need?

So, you mean that the database should be encrypted.

No, I mean it is worth considering encrypting some of the data that is
in the database. It is a worthwhile safeguard to encrypt credit card
numbers before entering them in a database, and decrypt them _only_ in
software, in preparation to charging them (in software, and also using
encryption).

The point is, there is more to securing online commerce than using https
to serve up every page on the site. That is weak security, so weak that
most e-commerce sites don't bother. There really is little to be gained
by securing data that is not confidential. Securing confidential data
begins with https, but there is much that can be done afterwards to
further protect that data.

 

[Luigi Donatello Asero]

Briefly.

In my opinion, that is a very good site as much as it concerns legal
problems about e-commerce.
I would recommend you to read carefully the content of the site if you are
interesting in selling to consumers within the EU.
I

No: it hasn't occurred to me that it's a matter of great concern at this
point.

First, e-commerce has been around for all of about ten years. In roughly
a decade it's developed from _nothing_ to supporting profitable,
multi-billion-dollar (sorry, I'm American)

I also think that e-commerce has done much to be at the beginning.
However, the very fact that it is at the beginning shows that it needs do
much more...
What do you mean by "sorry, I´m American"?


companies. There have been a

lot of mistakes made, and there's still a lot to learn, but for an
enterprise that's been around for only a few years, e-commerce is doing
pretty well.

See above

How long did ordinary "brick-and-mortar" retail have to get to where it
is. Several thousand years. Yet, less than ten years after its
inception, Amazon peaked at over 30 orders/second this winter.
Relatively few brick-and-mortar businesses can approach that.

You should compare Amazon with a very large company which sells on the
traditional market.
Otherwise you could compare a little firm selling on the net with a little
firm selling on the traditional market.

Security _is_ a problem facing e-commerce, but it is only one problem,
and it certainly hasn't proved crippling to those who have mastered it.

It depends on how you define it.
Do you mean that the responsibility with successful e-commerce lies in the
consumers?
Is he also responsible for disabling javascript in the webbrowsers and not
be able to visit some websites?

Who wants to pay shipping on cat litter and toilet paper?

As you see yourself, there are different problems to be solved.

Security concerns account for little of the discrepancy, though
_ignorance_ about security might account for more. I know many people
who won't order on line for fear of giving away their credit card
number. Yet they have no difficulty handing their credit card to a
waiter, who takes it out of their sight to process it. The online
transaction is protected by powerful encryption: the diner transaction
is completed unprotected.

That doesn't indicate a security problem with shopping online: it
indicates ignorance on the part of the shopper. If they can't understand
that their credit card transaction is secured online, how will they
perceive any benefit if every page is secured, regardless of the need?

I do not see your point. I recommend you to read carefully the content of
http://www.ebusinesslex.net

No, I mean it is worth considering encrypting some of the data that is
in the database. It is a worthwhile safeguard to encrypt credit card
numbers before entering them in a database, and decrypt them _only_ in
software, in preparation to charging them (in software, and also using
encryption).

What is the best way to encrypt them?
SSL again?

The point is, there is more to securing online commerce than using https
to serve up every page on the site. That is weak security, so weak that
most e-commerce sites don't bother. There really is little to be gained
by securing data that is not confidential. Securing confidential data
begins with https, but there is much that can be done afterwards to
further protect that data.

Did I say that it finishes with https?
You may have not read what I wrote about qualified electronic signatures,
for example.
Of course, https is just one aspect. But you do not improve things if you do
not consider it.

 

[Richard Cornford]

Oli Filth wrote:

A challenge: Try and find an established e-commerce site
that uses HTTPS for all its pages. Doing this might help
convince you that the "HTTPS everywhere" approach
really is "paranoia".

As it happens, a couple of years ago I worked on a web application
system that underlies a number of UK share trading web sites (A
confidentiality agreement prevents me naming any of the clients, and so
any of the specific sites). And as I recall those sites operated
exclusively over HTTPS. But thinking about them, there were almost no
pages that did not contain information that was very sensitive to
somebody.

However, the consequences of the overhead in using HTTPS exclusively did
become apparent when one of the clients decided that they wanted a more
'designed' front end and commissioned some HTML designers to create new
templates for all of the pages. Those new templates were the usual
Dreamweaver bloat with tables within tables within tables and hundreds
of chopped up images, etc, and the accumulated result was a web site so
slow that it was withdrawn within two week and reverted to its
predecessor. Over HTTP the same site would have been (just about)
viable.

Richard.

 

[Richard Cornford]

Richard was making a comparison.

The moral here is just because someone (or something)
says "this is fine" doesn't automatically make it so. ...

<snip>

Absolutely, any assertion at the foot of an e-mail says nothing and an
icon (or logo, or whatever) on a web page shows nothing.

But the situation is possibly worse than that. At present I am receiving
e-mails with virus attachments that assert that they have been scanned
by some anti-virus software (and passes safe) operating on a domain for
which I have sole responsibility, and referring any additional questions
to a 'webmaster' e-mail address at that domain. Obviously I know that no
such anti-virus software exists, no such e-mail account exists, and if
it did I would be the recipient of any enquiries sent to it.

So why does an e-mail with a virus attachment make such an assertion? It
is because it hopes that I will take the assertion at face value and
assume the attachment is safe. For a domain that belonged to an
organisation with many employees, where many would not necessarily know
enough to be suspicious of any such assertion, it is probably an
effective strategy.

Where assertions of safety are common and true the dishonest assertion
stands much more chance of being taken at face value. So scanning
outgoing e-mail probably contributes to an overall reduction in the
transmission of viruses, but telling the recipient that you have done so
will tend to promote them, as it encourages people to believe such
assertions. And that will extend to any other assertion of 'safety'
contained within the subject of that assertion.

Richard.

 

[Luigi Donatello Asero]

<snip>

Absolutely, any assertion at the foot of an e-mail says nothing and an
icon (or logo, or whatever) on a web page shows nothing.

But the situation is possibly worse than that. At present I am receiving
e-mails with virus attachments that assert that they have been scanned
by some anti-virus software (and passes safe) operating on a domain for
which I have sole responsibility, and referring any additional questions
to a 'webmaster' e-mail address at that domain. Obviously I know that no
such anti-virus software exists, no such e-mail account exists, and if
it did I would be the recipient of any enquiries sent to it.

So why does an e-mail with a virus attachment make such an assertion? It
is because it hopes that I will take the assertion at face value and
assume the attachment is safe. For a domain that belonged to an
organisation with many employees, where many would not necessarily know
enough to be suspicious of any such assertion, it is probably an
effective strategy.

Where assertions of safety are common and true the dishonest assertion
stands much more chance of being taken at face value. So scanning
outgoing e-mail probably contributes to an overall reduction in the
transmission of viruses, but telling the recipient that you have done so
will tend to promote them, as it encourages people to believe such
assertions. And that will extend to any other assertion of 'safety'
contained within the subject of that assertion.

Richard.

The problem you are talking about is worth mentioning but it does not regard
only the net.
As a whole we are confronted with trust and mistrust every day.
For what is money anyway? Is it not the promise that some central Bank will
pay us when we show the
banknote?
Happy New Year!

 

[Luigi Donatello Asero]

Oli Filth wrote:


As it happens, a couple of years ago I worked on a web application
system that underlies a number of UK share trading web sites (A
confidentiality agreement prevents me naming any of the clients, and so
any of the specific sites). And as I recall those sites operated
exclusively over HTTPS. But thinking about them, there were almost no
pages that did not contain information that was very sensitive to
somebody.

However, the consequences of the overhead in using HTTPS exclusively did
become apparent when one of the clients decided that they wanted a more
'designed' front end and commissioned some HTML designers to create new
templates for all of the pages. Those new templates were the usual
Dreamweaver bloat with tables within tables within tables and hundreds
of chopped up images, etc, and the accumulated result was a web site so
slow that it was withdrawn within two week and reverted to its
predecessor. Over HTTP the same site would have been (just about)
viable.

Richard.

Those pages containing information which are not sensitive may be available
both in http and https.
Those pages containing information which are sensitive or very sensitive
should be only in https.
I assume that If a site is very heavy, it could be split up in several sites
or uploaded on a faster server.

 

[Joel Shepherd]

"Joel Shepherd" <[email protected]> skrev:


In my opinion, that is a very good site as much as it concerns legal
problems about e-commerce. I would recommend you to read carefully
the content of the site if you are interesting in selling to consumers
within the EU.

How do you know that I (or the company I work for) haven't been for
years?

Look, I'm sure that site has a lot of thought-provoking information. I
also believe that asking lawyers about securing an e-commerce site is
like asking a car salesman about the best route for your vacation.
You're likely to end up with more than you need, without having solved
the basic problem.

What do you mean by "sorry, I´m American"?

Knee-jerk anti-American sentiment on this newsgroup runs so high
sometimes, I felt it wise to preemptively apologize for daring to use
'dollars' as a unit-of-measure.

You should compare Amazon with a very large company which sells on the
traditional market.

Walmart? Given the number of stores they have, it's quite possible they
exceeded 30 sales/second. Maybe that's a routine event for them. Of
course, they've been around (I think) three times longer than Amazon,
and the companies really aren't comparable in size or revenue.

Anyway, to veer back on topic: Amazon serves relatively few pages over
https. Just the pages with confidential information. That hasn't had any
apparent effect on its growth, in the US or in Europe.

Do you mean that the responsibility with successful e-commerce lies in the
consumers?

No, not at all. I mean that going overboard with security is a mistake,
given that there are more pressing problems to solve. Many sites still
do a poor job of delivering enough information to consumers to enable
them to decide to make a purchase. It's a tough problem, as I'm sure you
can appreciate. If I've never been to your country, what information
would I need before I'd feel comfortable renting a vacation home from
you? Yes, I'd want to know my purchase was secure, but before that I'd
want some assurance that the mattresses didn't date from 1750 (as
someone once described them in a British hotel), that the place wasn't
next to a busy road, etc. Things like encouraging your customers to
write their own reviews might help. Securing every page won't.

Is he also responsible for disabling javascript in the webbrowsers and not
be able to visit some websites?

Well, yes. The consumer is responsible for deciding what sites to visit.
The consumer is responsible for deciding whether to enable JavaScript,
ActiveX, or whatever.

I do not see your point. I recommend you to read carefully the content of
http://www.ebusinesslex.net

I'd love to, but I really don't have the time. If you can point me to a
specific page (in English, please) that supports your point of view,
please do so.

In any event, if that page is going to assert that consumers feel more
comfortable when they see the page is served over https ... I'm not
buying. Consumers that won't make a purchase online over https due to
security concerns aren't likely to be relieved because every page is
served over https.

What is the best way to encrypt them?
SSL again?

There are a number of data encryption schemes. SSL is a protocol for
transmitting data securely, but it's not a scheme to encrypt data
persistently. Blowfish, DES and PGP are examples of schemes to actually
encrypt data. You could, for example, pass a credit card number through
a Blowfish algorithm and get another piece of data (the encrypted
number) to store in your database.

But you do not improve things if you do not consider it.

Sure. But movement should not be confused with progress.

 

[Luigi Donatello Asero]

How do you know that I (or the company I work for) haven't been for
years?

Sorry? Haven´t been where?

Look, I'm sure that site has a lot of thought-provoking information. I
also believe that asking lawyers about securing an e-commerce site is
like asking a car salesman about the best route for your vacation.
You're likely to end up with more than you need, without having solved
the basic problem.

Well, in my opinion, we need, in fact, more people who have a large
competence both at law and IT.
If you do not know the laws, you cannot know what they require and if you do
not know IT, you do not know how you should comply technically with the
legal requirements.

Knee-jerk anti-American sentiment on this newsgroup runs so high
sometimes, I felt it wise to preemptively apologize for daring to use
'dollars' as a unit-of-measure.

Ok. I am aware of the fact that not all American people voted for Bush and
support his politics.
May I ask you whether you are against or for death penalty? I am against.

Walmart? Given the number of stores they have, it's quite possible they
exceeded 30 sales/second. Maybe that's a routine event for them. Of
course, they've been around (I think) three times longer than Amazon,
and the companies really aren't comparable in size or revenue.

It would also be useful to compare small companies, ( one company which
sells through the traditional channel and another one which sells on the
internet.

Anyway, to veer back on topic: Amazon serves relatively few pages over
https. Just the pages with confidential information. That hasn't had any
apparent effect on its growth, in the US or in Europe.


No, not at all. I mean that going overboard with security is a mistake,
given that there are more pressing problems to solve. Many sites still
do a poor job of delivering enough information to consumers to enable
them to decide to make a purchase. It's a tough problem, as I'm sure you
can appreciate. If I've never been to your country, what information
would I need before I'd feel comfortable renting a vacation home from
you? Yes, I'd want to know my purchase was secure, but before that I'd
want some assurance that the mattresses didn't date from 1750 (as
someone once described them in a British hotel), that the place wasn't
next to a busy road, etc. Things like encouraging your customers to
write their own reviews might help. Securing every page won't.

I did not say anything against giving much information. I try to do both
because I am of the opinion that both are important.
Most information are in Swedish so far because my one-man business is in
Sweden, but I am trying to write it in several other languages too.
So, for example, I have written a lot of information about Sweden in Italian
https://www.scaiecat-spa-gigi.com/it/svezia.html

Well, yes. The consumer is responsible for deciding what sites to visit.
The consumer is responsible for deciding whether to enable JavaScript,
ActiveX, or whatever.

I see it the other way round. I think that the responsibility with making a
site accessible lies with the webmaster...
JavaScript and especially ActiveX can be dangerous in some cases. Thus I
understand the users who disable them.

I'd love to, but I really don't have the time. If you can point me to a
specific page (in English, please) that supports your point of view,
please do so.

That website is in several languages, English too.
To read just an article might be the same as to read just a thread in
alt.html....
So, to read just an article would not say to you very much, I am afraid....

In any event, if that page is going to assert that consumers feel more
comfortable when they see the page is served over https ... I'm not
buying. Consumers that won't make a purchase online over https due to
security concerns aren't likely to be relieved because every page is
served over https.

Of course, it is possible that consumers in the USA would react in a total
different way.
But, I suppose that at least some people appreciate che a site is served
over https.
One question about https, by the way. I
let install a certificate from GeoTrust for the website
https://www.scaiecat-spa-gigi.com

If I understand it properly, this certificate is made by Equifax for
GeoTrust,
isn´t it?
Do you think that it is a good one?
(See thread Re: SSL questions
at alt.php)

There are a number of data encryption schemes. SSL is a protocol for
transmitting data securely, but it's not a scheme to encrypt data
persistently. Blowfish, DES and PGP are examples of schemes to actually
encrypt data. You could, for example, pass a credit card number through
a Blowfish algorithm and get another piece of data (the encrypted
number) to store in your database.


Sure. But movement should not be confused with progress.

No. It shouldn´t.
Let´s put things this way:
1) If the user prefers to navigate on the website which are served over the
http protocol he can do that,
except for some pages which are served only over the https protocol.
2) If the user wants to navigate on the pages which are served over the
https protocol, he can also do it!
So, I do not see any disadvantage to serve a page over both protocols except
for some page which should be served only over https.
Well, actually, I only sell wares to consumers resident within the EU and ,
so far not even to all countries within the EU.
The reason is that if I sell wares through the internet, I should respect
the law of the country where the consumer comes from and I do not know much
about American laws.
I am not sure that the same would apply to the intermediation for rent of
holidays lodgings but it is safer to sell to people coming from countries
which have laws which I know better. www.ebusinesslex.net also deals with
applicability of a law as far as e-commerce is concerned.

 

[Oli Filth]

I think his point is clear enough. If someone doesn't trust the security
of a site enough to make a purchase using their card details, etc., then
they're not going to trust the site more just because all pages are as
HTTPS.

I recommend you to read carefully the content
of




That website is in several languages, English too.
To read just an article might be the same as to read just a thread in
alt.html....
So, to read just an article would not say to you very much, I am afraid....

I've looked through a fair few articles on that site, and I can't find
anything that concerns the sorts of security problems that you're
worried about. It certainly doesn't mention securing every single byte
of information that leaves a server.

Of course, it is possible that consumers in the USA would react in a total
different way.
But, I suppose that at least some people appreciate che a site is served
over https.

I don't think anyone would be feel more likely to feel secure knowing
that your whole site was served as HTTPS. I think most users would fall
into one of three categories:

1) Those who don't know anything about HTTPS won't notice any difference
(except that pages load more slowly), and so won't perceive any benefit.

2) Those who do know that HTTPS helps secure confidential information,
but still feel wary about giving their credit-card details online aren't
going to suddenly feel safer and decide to make a purchase just because
all the non-confidential pages are HTTPS as well.

3) Those who know quite a bit about HTTPS will know that there is no
rational benefit to all pages being served as HTTPS, and that their
confidential details are no more secure, and may also be suspicious (as
someone else suggested, I think).

Let´s put things this way:
1) If the user prefers to navigate on the website which are served over the
http protocol he can do that,
except for some pages which are served only over the https protocol.
2) If the user wants to navigate on the pages which are served over the
https protocol, he can also do it!
So, I do not see any disadvantage to serve a page over both protocols except
for some page which should be served only over https.

I'll try and summarise (as objectively as possible):

* HTTPS is designed to prevent hackers intercepting and retrieving
confidential information as it's being transmitted by TCP/IP. Therefore
it (or an equivalent scheme) is essential when it comes to a user's
personal information and payment details.

* HTTPS is not designed specifically (AFAIK) to prevent against
malicious TCP/IP injection. Anyway, the likelihood of this occurring on
a non-confidential page is miniscule. The amount of effort it would take
to intercept, block, and replace the TCP connection stream from your
server to the browser in real-time is huge.

* A malicious hacker or user is far more likely to target your server
itself, either by hacking directly, or by exploiting security holes in
badly-designed scripts. HTTPS has nothing to do with this. The security
of your scripts deserves far more attention than securing transmission
of non-confidential information.

* HTTPS-served pages take longer to load, slowing down the user's
browsing experience.

* HTTPS prevents page caching, reducing the navigation usability of your
site.

* HTTPS may bring up "this is a secure page" pop-up in some users'
browsers, slowing them down, confusing them, and possibly scaring them
or arousing suspicion.

* Most users won't understand the implications of the whole site being
served as HTTPS, and therefore will perceive no benefit.

* Offering a user a choice of HTTP or HTTPS on arriving at your site
will probably confuse them, and is irrelevant for what they're trying to
find.


Please understand that no-one is criticising you on your aim to improve
security, it's just that most people here think the approach you want to
take is missing the point somewhat.

Oli

 

[Luigi Donatello Asero]

I've looked through a fair few articles on that site, and I can't find
anything that concerns the sorts of security problems that you're
worried about. It certainly doesn't mention securing every single byte
of information that leaves a server.

It took for me a very long time to go through all the articles I have
read...

I don't think anyone would be feel more likely to feel secure knowing
that your whole site was served as HTTPS. I think most users would fall
into one of three categories:

1) Those who don't know anything about HTTPS won't notice any difference
(except that pages load more slowly), and so won't perceive any benefit.

This difference is not large for people using high-speed broadband
connections.

2) Those who do know that HTTPS helps secure confidential information,
but still feel wary about giving their credit-card details online aren't
going to suddenly feel safer and decide to make a purchase just because
all the non-confidential pages are HTTPS as well.

It can be difficult to say because there are not many sites on the web which
serve all the pages over https
but I do not think that it can make things worse, so I think it is better to
make a try.

3) Those who know quite a bit about HTTPS will know that there is no
rational benefit to all pages being served as HTTPS, and that their
confidential details are no more secure, and may also be suspicious (as
someone else suggested, I think).

I think you missed to mention some categories.

I'll try and summarise (as objectively as possible):

* HTTPS is designed to prevent hackers intercepting and retrieving
confidential information as it's being transmitted by TCP/IP. Therefore
it (or an equivalent scheme) is essential when it comes to a user's
personal information and payment details.

* HTTPS is not designed specifically (AFAIK) to prevent against
malicious TCP/IP injection. Anyway, the likelihood of this occurring on
a non-confidential page is miniscule. The amount of effort it would take
to intercept, block, and replace the TCP connection stream from your
server to the browser in real-time is huge.

It is still safer with https.

* A malicious hacker or user is far more likely to target your server
itself, either by hacking directly, or by exploiting security holes in
badly-designed scripts. HTTPS has nothing to do with this. The security
of your scripts deserves far more attention than securing transmission
of non-confidential information.

I did not say anything against writing safe scripts. As to server my site is
on a webhost, so it is up to them to protect it.

* Offering a user a choice of HTTP or HTTPS on arriving at your site
will probably confuse them, and is irrelevant for what they're trying to
find.

I do not share your opinion on this subject

Please understand that no-one is criticising you on your aim to improve
security, it's just that most people here think the approach you want to
take is missing the point somewhat.

Oli

You are free to express your opinion and I am entitled not to share it.

 

[rf]

You are free to express your opinion and I am entitled not to share it.

Even when it is the overwhelming opinion of everybody *else* in this thread?

This happens all the time. You come here for advice ono some odd scheme.
Everybody tells you to not do this. You ignore everybody and claim "I am
entitled not to share your opinion".

Waste of time, really.

 

[Oli Filth]

It took for me a very long time to go through all the articles I have
read...

Even so, can you provide any links to specific pages that talk about
this sort of issue?

This difference is not large for people using high-speed broadband
connections.

AFAIK, the speed issue with HTTPS is not due to massively increased
content, it's the increased SSL handshaking protocols which take time,
and the encryption and decryption at each end, which take large amounts
of CPU time. So whether you have broadband or a normal modem is not that
important, HTTPS will still take longer.

In fact, someone who's actually done this already posted a real-world
example of how much this slows things down:

=========================================================================
Posted by Richard Cornford:

However, the consequences of the overhead in using HTTPS exclusively did
become apparent when one of the clients decided that they wanted a more
'designed' front end and commissioned some HTML designers to create new
templates for all of the pages. Those new templates were the usual
Dreamweaver bloat with tables within tables within tables and hundreds
of chopped up images, etc, and the accumulated result was a web site so
slow that it was withdrawn within two week and reverted to its
predecessor. Over HTTP the same site would have been (just about)
viable. =========================================================================



It can be difficult to say because there are not many sites on the web which
serve all the pages over https
but I do not think that it can make things worse, so I think it is better to
make a try.

I gave you a comprehensive list of things that this will make worse.

I think you missed to mention some categories.

Such as?

It is still safer with https.

You're still missing the point. If you weigh up all the problems I (and
others) have mentioned against the benefit of this protection against a
tiny, tiny, tiny threat against *non-confidential* data, you're still
saying your idea sounds good?

I did not say anything against writing safe scripts. As to server my site is
on a webhost, so it is up to them to protect it.

Again, you're missing the point. As a web developer, you only have so
many hours in the day in which to work on your site. You could waste
time implementing this HTTPS idea of yours, or you could focus on a much
more probable, real-world, security issue: possible flaws in your
scripts such as SQL injection loop-holes, unencrypted passwords,
unprotected databases.

I do not share your opinion on this subject

No, it's a plain and simple fact. People use the web to get information.
If they're presented with irrelevant information (lets face it, a choice
of which protocol to use has nothing to do with looking at holiday homes
or shoes), or they have to make choices they don't understand, this
slows them down and they will go elsewhere. It's much quicker to click
the Back button then it is to work out which they want, HTTP or HTTPS.
It's a fundamental aspect of designing good websites: simplicity, speed,
clarity.

You are free to express your opinion and I am entitled not to share it.

This is true. Whether or not you go ahead with this HTTPS idea makes no
difference to anyone here. But some people actually know what they're
talking about and/or have experience of doing this, it might be a good
idea to listen to them. So far, your arguments have boiled down to "look
at http://www.ebusinesslex.net" (with no reference to a specific page),
and "I am entitled not to share your opinion". You're not going to learn
very much this way.

Oli

 

[Luigi Donatello Asero]

Even when it is the overwhelming opinion of everybody *else* in this thread?

This happens all the time. You come here for advice ono some odd scheme.
Everybody tells you to not do this. You ignore everybody and claim "I am
entitled not to share your opinion".

Waste of time, really.

I have read interesting things on this NG as in many other NGs, too.
I find some things useful and other less. To find the useful things I need
read even those which are not in my opinion.
When I express my opinion I do not mean that all people have to share it.
They may share it or not.
There may be other people who find it difficult to talk to people who do not
share their opinions.
But
I am confident that you already know that
you do not need answer my posts if you do not want to.
Happy New Year again

 

[Luigi Donatello Asero]

Even so, can you provide any links to specific pages that talk about
this sort of issue?

Sorry, in my opinion it is not enough to read 1 or 2 pages.
Otherwise it would be enough for me to read 2-3 threads of this NG to learn
HTML.
But I may post some links in future, if you want to, anyway.
Do you want me to post them to your e-mail adress or can it be something
interesting for this NG?
I am going to visit that site many other times.

AFAIK, the speed issue with HTTPS is not due to massively increased
content, it's the increased SSL handshaking protocols which take time,
and the encryption and decryption at each end, which take large amounts
of CPU time. So whether you have broadband or a normal modem is not that
important, HTTPS will still take longer.

It takes longer but as the normal connection is already very fast, the user
can accept a delay in the connection much more easily, I think.
Moreover, please, do not forget that he or she can always choose to show
most pages over http.

In fact, someone who's actually done this already posted a real-world
example of how much this slows things down:

=========================================================================
Posted by Richard Cornford:
=========================================================================

It would have been enough to split the contents in more websites or load it
on a faster server, I suppose.

I gave you a comprehensive list of things that this will make worse.

But I did not change my mind. I am sorry if that disturbs you but I am still
entitled to have my opinions.

Such as?

For example, the category of those who think as I do.
It is better to serve most pages over both https and http and some content
which is more sensitive only over https.
The user and search engines can choose whether they want to visit one of
them or both.

You're still missing the point. If you weigh up all the problems I (and
others) have mentioned against the benefit of this protection against a
tiny, tiny, tiny threat against *non-confidential* data, you're still
saying your idea sounds good?

I have a different opinion. You use expressions as "You´re still missing the
point" which seem to show that you believe that you are absolutely right.
That does not sound to be a very good method to let people believe what you
say or write

Again, you're missing the point. As a web developer, you only have so
many hours in the day in which to work on your site. You could waste
time implementing this HTTPS idea of yours, or you could focus on a much
more probable, real-world, security issue: possible flaws in your
scripts such as SQL injection loop-holes, unencrypted passwords,
unprotected databases.

I prefer to try to look at so many aspects as possible which can concern
most
of my potential users and I shall appreciate if you want to write more about
the subjects which you mentioned

No, it's a plain and simple fact.

See above about what I think of the use of certain expressions which seem to
show that you believe that you are right.

People use the web to get information.

If they're presented with irrelevant information (lets face it, a choice
of which protocol to use has nothing to do with looking at holiday homes
or shoes), or they have to make choices they don't understand, this
slows them down and they will go elsewhere. It's much quicker to click
the Back button then it is to work out which they want, HTTP or HTTPS.
It's a fundamental aspect of designing good websites: simplicity, speed,
clarity.

I prefer to let people choose more that you seem to let them want to
choose...
If you used the same principle and put it to the extreme in politics you
might draw the conclusion that dictators do not want people to get confused
and decide everything for the people!
I am for democracy.

This is true.

I share your opinion this time.


Whether or not you go ahead with this HTTPS idea makes no

difference to anyone here. But some people actually know what they're
talking about and/or have experience of doing this, it might be a good
idea to listen to them. So far, your arguments have boiled down to "look
at http://www.ebusinesslex.net" (with no reference to a specific page),
and "I am entitled not to share your opinion". You're not going to learn
very much this way.

I can write in English, German, Swedish, Italian..
I make mistakes (more or less often much depending on the language and on
how tired I am) but I still understand much and can explain many things
I understand and write several other languages to some extent than the ones
which I have mentioned above and I used my own method to learn them.
..
I knew practically nothing about html a few years ago and now the website
http://www.scaiecat-spa-gigi.com is indexed by many search engines ( just
search and test it if you want to)
I am not asking you to use my method but
I am going to use my own method to learn computer languages.
Thank you anyway.
Happy New Year!

 

[Oli Filth]

I have read interesting things on this NG as in many other NGs, too.
I find some things useful and other less. To find the useful things I need
read even those which are not in my opinion.
When I express my opinion I do not mean that all people have to share it.
They may share it or not.
There may be other people who find it difficult to talk to people who do not
share their opinions.

Don't confuse "opinion" with "fact". A lot of the comments people have
made are real-life, concrete, practical problems with this HTTPS scheme
of yours. Just saying "I'm entitled to my opinion" and ignoring
everyone's advice is like sticking your head in the sand (i.e. ignoring
the real world).

Oli

 

[Luigi Donatello Asero]

Don't confuse "opinion" with "fact". A lot of the comments people have
made are real-life, concrete, practical problems with this HTTPS scheme
of yours. Just saying "I'm entitled to my opinion" and ignoring
everyone's advice is like sticking your head in the sand (i.e. ignoring
the real world).

Oli

I do not. You were not talking about facts. You were trying to forecast
users´behaviour basing your assumptions on some facts.
That means:
1) You do not seem to consider all the facts
2) we cannot know whether people will behave the way which you tried to
predict.