Hi, just want your opinion:

By entering a site with the prefix 'https://', would you assume that the site is secure without looking at anything else (assuming that your browser doesn't alert you with any errors)?

Thanks

that site is NOT secure (yet), but the connection is (hopefully)

ussually i will review their SSL Cert first. if everything is ok, then i will assume that my connection is secure (encrypted).

SSL(Secure Socket Layer) tu memang secure... tapi kena pastikan code kita tu(katakan PHP) tak mempunyai vulnerbility, kalau dak, secure camna pun connection ko tu, attacker leh gak buat menda nakal...

__________________
<form name="jump">
<select name="menu" onChange="location=document.jump.menu.options[document.jump.menu.selectedIndex].value;" style="border:1px #393F31 solid;color:#393F31;font:10px Verdana;font-weight:bold;" >
<option value="0" style="background: #9CC8FE" selected>*SELECT-LINKS</option>
<option value="http://www.gengturbo.org/" style="background: #FF0000">GENGTURBO</option>
<option value="http://www.phixelgrafix.com/" target="new" style="background: #C6D607">PHIXELGRAFIX</option>
<option value="http://dailydigital.phixelgrafix.com/" style="background: #FCBC45">OLD-BLOG</option>
<option value="http://www.mesrahosting.net/" style="background: #FF99CC">WEBHOSTING</option>
</select>
</form>

Thanks DingDang and Ben-davis

---
Ben-davis: Ok, if we were to forget about the site (code) for a moment (our advisory board will go thru the program to ensure that there are no known flaws in the program) and just focus on the connection itself, would you assume that the connection is secure?

more secure than normal connection.
note that there is shared(normally shared hosting) and dedicated SSL(1 domain 1 IP).
Shared SSL is less secure than dedicated one.

btw, how do you define the 'secure' here? what do you want to protect?

__________________
LiewCF | Malaysia Bloggers Forum

It's like this, for example, if you goto: https://69.57.144.192/ you'll get a security alert, because the name on the certificate doesn't match the name of the site. But if you goto: https://www.halalcube.com/ the name on the cert and the site matches and there is no security alert. By just going to a site starting with 'https://' (and assuming that there is no security alert), in your opinion, would you assume that the connection is secure?

I know you should double click on the padlock icon to see the SSL cert information, but I just want your opinion on how much you trust a machine to tell you that it is (the browser) transmitting data securely just by the 'https://' prefix/protocol, that's the only reason why im asking this question. Thanks

What i mean by secure here, is just basically encrypted communication between the user and the server.

What do I wan't to protect? Basically a trading portal. When the project is launched, the site will enable buyers and seller of Halal products to trade online. For the first few months, we are just running it as an evaluation period (and subscription will be free). We won't be accepting any monetary transactions until we get our insurance and liability protection sorted out.

This is like an ad now... haha

yup... secure,....

__________________
<form name="jump">
<select name="menu" onChange="location=document.jump.menu.options[document.jump.menu.selectedIndex].value;" style="border:1px #393F31 solid;color:#393F31;font:10px Verdana;font-weight:bold;" >
<option value="0" style="background: #9CC8FE" selected>*SELECT-LINKS</option>
<option value="http://www.gengturbo.org/" style="background: #FF0000">GENGTURBO</option>
<option value="http://www.phixelgrafix.com/" target="new" style="background: #C6D607">PHIXELGRAFIX</option>
<option value="http://dailydigital.phixelgrafix.com/" style="background: #FCBC45">OLD-BLOG</option>
<option value="http://www.mesrahosting.net/" style="background: #FF99CC">WEBHOSTING</option>
</select>
</form>

...sufyan. what do you think?

Well... my opinion would be that I would trust secure connections based on the prefix/protocol of the URL for the reasons below. This is only my opinion and others may reasonably argue a different point of view.

1) Only sites which can speak the 'SSL language' can use 'https://' as the prefix. So normal http requests can't request data from an SSL enabled port (https).

Try visiting http://69.57.144.192:443/ (this is what you get when you try speaking plain HTTP to an SSL-enabled server port). It won't let you do anything, instead you get a 400 Bad Request error. The try the same IP:Port, but with the 'https' prefix, https://69.57.144.192:443/

2) You can't just put 'https://' infront of any site and expect it to work - it doesn't work like that.

3) 128 Bit encryption is strong - not the strongest, but strong. If you ever intercept one of these transmissions, there's a very strong chance that you would NOT be able to decrypt the cipher text without the key which was negotiated by the users browser and the server accepting the request. If you can break/decrypt this 128 Bit encryptions, you are one genius that created some algorithm and has an extremely fast computer... =)

I think thats about it for now... Thanks for all your opinions...

---
However, it is a good habit to check the SSL certificate just to be sure that everything is correct. But now days, most browsers will alert you if there is anything wrong with the ID of the site or the SSL cert.

i will trust the connection.

fact: Your customer will not notice it, and they will not know what the hell is the alert box or SSL.

Your probably need to show something to prove your secure connection. Show to your customer that he/she is on secured connection.

__________________
LiewCF | Malaysia Bloggers Forum

Any suggestions?

The only thing I can think of is a notice before they login which shows the 'Secure Seal' generated by the CA.

Thanks

they will not understand it.
u need to tell them that they are in secure connection, and a link to explain what is secure connection. Tell them they are safe in the connection.

you have something like this:
http://www.maybank2u.com.my/bottom_n...dex.shtml#data

rite?
beside the seal, say something like: "you are in secure connection now. Your data will be safe... bla.. bla.. " and invite them to click the seal for detail.

just my 2 cent

__________________
LiewCF | Malaysia Bloggers Forum

SSL connection definately is secured, just that whether the site you are connection is a trustworthy site or not.

__________________
Frederick Goh - www.frederickgoh.com

I definitely would review the cert before I submit anything
hehehehe
also I would review their company information as well as address if they have one there or supporting materials to prove their existance. Sadly most of them do not have most of the stuff. But I still buy stuff from them as long as I feel I have to trust them to get it. But most of the times these are the issues I consider.

__________________
<br><br><img src="http://www.virmedia.net/virmedia_newid.gif">