brush

Why so many cryptocurrency related websites do not use SSL

As you can see, the cryptocrawl.in Faucets don’t use SSL too.
(but you dont have to register there, so that should be ok for you.)

So I want to explain here the reason and why this is a bad behavior in general.

When I surfed across cryptocurrency related websites in example:
– faucets – advertising networks – new projects –

I discovered so many websites which want you to register with a Nickname, eMail and a Password. The first thing that I noticed is the missing SSL connection. So I dont’t want to imagine how many people will register there with maybe the same login credentials they use at their social media accounts without any doubts.

What is the risk?

So what is the risk – What is the matter ?
I will explain as simple as I can do it in English (my German is mutch better).
When you surf to a non encrypted (non SSL) website, all you type into a Form-Field  will be transmitted in PLAINTEXT.

A website without SSL is 90’s style

When you enter a Password there and a “bad guy” listens/sniffs the Port 80 (standard http) on the Server  he will easily gain your login credentials because the connection is not encrypted – and as mentioned above maybe they will get the login credentials for your social media or paypal account.

It also makes no sense when a Website-Owner promised you that he will hash your Password in the Database – there is a leak!
First of all the connection from your Home (Browser) to the Website has to be encrypted with SSL.
And this is the Job of the Website-Owner not yours – but you can tell him you won’t sign-up/register until he encrypts his website – if a lot of people do this he have to react.

Main Reasons

  • The Website-owner doesn’t care about his Visitors
  • Problem with mixed-content
  • Thinks that SSL-certificates are expensiv

I think these 3 points are the main reasons why so many cryptocurrency related websites not use SSL.

 

  1. The Website-owner doesn’t care about his Visitors. He just wants to make maximum profit with his website – and maybe he does’nt know anything about encryption and security.
    But he wants handle your Cryptocurrency?
    I don’t think that it is smart to deposit here any cryptocurrency – what did you think ?
    Or he wants to encrypt his website but thinks ironiously that a SSL-certificate is expensiv.<br>
    ( more at point 3)
  2. Problem with mixed-content (technical)
    Maybe that’s the TOP Reason why the website doesn’t provide a SSL connection
    What is mixed content?
    If you have a website with SSL enabled you can only put on there Ads,Banners,Widges and so on which also support SSL.
    And when you put a link in with i.ex.:
    src="http://example.com/nicepicure.gif"

    you get a very ugly certificate error message in your browser and if a visitor get a certificate error he will stay away.
    (A paradoxon that I will explain at the end of the article)
    The source link has to be i.ex.:
    src="https://example.com/nicepicture.gif"

    but not every site provides this.A lot of advertisement networks promise that they support SSL – and of course they do it in theory – but they dont check that the advertiser
    puts in a banner with SSL support. So when the advert is a banner without SSL you got the ugly mixed content error message back.
    Google Adsense provides a realy good SSL support – there are very rarely ads without SSL support (you can easily disable them) – as you can see Google is a big player and has only some non SSL Ads
    So you can imagine how this looks like at smaller companies they accept everything
  3. Thinks that SSL-certificates are expensiv.
    This is totally wrong – since the absolutely fantastic project Let’s Encrypt opened their doors it is completely free.
    An other solution is to connect your Website to Cloudflare they have a free plan which includes SSL support for the most modern browsers.
    If your hosting-provider doesn’t support Let’s Encrypt or you dont have the opportunity to switch to cloudflare you should consider to change your hosting-provider.
    If you run your own VPS/RootServer the following AdminControlPanels have native Let’s Encrypt support:

both made in germany

The paradoxon of website security

A fictive casual internet user knows his daily visited websites and would immediately notice if there is something mysterious at the login prompt because of a missing green SSL addressbar.
But if the same fictive internet user surfs to a brand new site which offers him to win i.ex. 1000$ for only sign-up/registering he doesnt care about a missing green SSL addressbar.

you got it ?

The same fictive internet user entered a Website with a self signed SSL-certificate and got a BIG NOT-SECURE Warning in his browser – the user stays away from this Site – but why ?
Because trusted companies like Google, Firefox etc. dont accept self signed certificates – but in my optinion the RED Warning is totaly wrong – if it were an orange one with the message
that it is a self signed certificate the connection IS ENCRYPTED but should be handled carefully would be easier to understand for an casual internet user.

What did you think about SSL?

Monetize your web traffic on mobile today. Earn highest revenues for your mobile web with

Leave a Reply

Your email address will not be published. Required fields are marked *