[SIZE=2]Hi, I have a small, not-frequently-visited personal Web site which is basically just my online portfolio and resume. I’ve been reading the articles on resetthenet.org regarding using SSL certificates for one’s sites in order to make it harder for the NSA to spy on me and my (infrequent) visitors. Specifically, on http://resetthenet.tumblr.com/post/84137916350/how-we-secure-the-web-https-hsts-pfs, it says: “HTTPS, HSTS, and PFS are powerful tools that make mass spying much more difficult.”
I don’t know whether to believe this or not. Having spent my career strictly as a front-end developer (or as we used to call us when I started in 1996, Web designers), I have only the most rudimentary knowledge of Web security. I know one puts a SSL layer on a shopping cart or log in section of a site, but it was always the server administrator who did that. Would $70 (GoDaddy’s basic rate) worth of SSL keep my site free of NSA surveillance?[/SIZE]
If you’re that worried about it, I don’t think you shouldn’t put it online. This question is completely impossible to answer because you would basically need to talk to someone working for the NSA to know exactly what their capabilities are… and I don’t think that’s going to happen.
I don’t mean to be cheeky here, but honestly, I suspect the NSA has a lot more pressing concerns than who is visiting a resume/portfolio website. Unless you design bombs or something.
^ I agree, unless you’re doing something you shouldn’t be doing, like making bombs or planning a world takeover, then it’s not really anything to worry about, especially for a personal site.
No one’s really attempted to explain what SSL is so I’ll give it a go.
SSL encrypts the data being sent from the browser so that the data being sent across the internet can’t be intercepted and read in plain text.
For a normal static site like you’re describing the only data being sent from the browser is typical GET requests to HTML, CSS, Javascript and images. There’s no sensitive data being transferred across the internet so SSL won’t be giving you anything extra.
It’s crucial when people are entering private information like credit card numbers or passwords, if you’re not requesting that type of data from users of your site you don’t need to worry.
Hypothetically, SSL will not keep the NSA from telling what websites you visit. They would be able to tell the domain that you are sending/receiving traffic from, but not the actual data protected by SSL.
A VPN would likely protect you from prying eyes, but it costs money and you run the risk of the VPN service spying on you or opening its doors to a government agency.
The Tor network is also an option, but speed tends to be a factor, and the entry and exit nodes can be monitored.
The only sure way to be sure you aren’t being monitored on the Internet is to not use the internet.
Thank you for your clear explanation, and thanks to you and everyone for their responses. The replies mostly confirm my gut feeling that using SSL on my site would make no difference; as scout1idf said, if it did make a difference, it would probably be illegal. I just want so badly to do something about surveillance, but I guess we’re all just living in a fishbowl these days.
The short answer is really if google can access your site than the NSA or anyone can. The only exception would be things behind a firewall using authentication. Though the NSA can probably access that stuff someway to these days…
Yes NSA can access your site, Changing from http to https doesn’t protect from NSA surveillance. NSA keep eye on every site so by changing it to secure doesn’t mean that NSA doesn’t keep eye on it.
There is nothing about using SSL that is illegal. What scout1idf said was a little unclear. He was postulating that if SSL were truly secure, the NSA would claim that it would be illegal to use. That’s a straw man argument.
There are a few instances where government agencies have petitioned software developers of secure software to allow backdoors for monitoring. The security of these pieces of software did not make them illegal to use.
I’m not sure what you’re trying to protect but the ONLY way to keep data private is to lock it in a Faraday cage and run on batteries (or co-located generator). If there is any access to/from the outside, the NSA is the least of your concerns (but only because they won’t harm your website/data as there are some pretty smart hackers out there with tools that will amaze you).
Keep your data off public servers (and locked in a vault if you’re that paranoid). As explained above, SSL will encrypt a connection/transfer but I’m sure that a 256 bit cypher is easily broken by the resources of the NSA. Besides, it would be easier for the NSA to hack into your server and read all the unencrypted data behind any SSL protection.
There are in fact situations where it is illegal to NOT use SSL.
One of the requirements for any web page collecting credit card details is that it MUST use SSL so as to reduce the possibility of the details being stolen via a man in the middle attack.
If SSL were to be made illegal then it would become impossible to buy anything online.
Hello Front-end-bomb-developer To stop NSA spying your site, it`s impossible, i think if they wanted to do that, they can access your server directly. I suggest you develop any illegal activities face2face
To stop NSA spying your site, it`s impossible, i think if they wanted to do that, they can access your server directly. I suggest you develop any illegal activities face2face