AnonTalk Bulletins Archive

The only official archive of AnonTalk!

About the secure/encrypted (HTTPS/TLS) interface

Note: "TLS" is the successor to "SSL". SSL is still a very common term, but technically wrong when one is referring to TLS.

AT currently uses a "self-signed" TLS certificate. In every way but one, it is a valid, real certificate. The only difference between a correctly created self-signed certificate (what we use) and a certificate signed by a "Certificate Authority" (each Web browser ships with a list of these) is that no third party has verified that the given certificate is tied to the correct organization or person. However, this is very rarely done, and actually costs thousands of dollars a year. The vast majority of authority-signed TLS certificates have not verified a thing. Essentially, most of us Web masters simply pay a company money to get rid of the browser warnings for the users. (Actually verified TLS certificates, sometimes referred to as "extended", are only used by huge corporations and some, but far from all, banks. There have been incidents in which even these were fooled.)

"Signing" by an external, trusted party is primarily done for the peace of mind of the average Web user, but on the technical level, our certificate provides the exact same security as your Internet bank, provided that you actually connect to this domain and not some similar one. Unfortunately, your Web browser will doubtlessly spit out big, red warnings about this site being "not secure". This is very simplified and, IMO, simply not true. It is, however, correct that the "signed by third party" part of our self-signed certificate is missing, and, in a sense, one could consider this "not secure" as a general rule.

We used to have authority-signed certificates, but since we repeatedly lost them due to fake abuse reports sent in by retards, causing the providers to remove service for us without actually investigating said abuse reports, we had to resort to self-signing. For this reason, to use the HTTPS version of this Web site properly, you must add an "exception" in your Web browser. The procedure varies slightly but typically involves checking a box. This is easy, but the Web browser will try to convince you that this is something really bad. Granted, for the average Web user, using the average "shopping" Web site, this would be very much true, but you are just somebody who doesn't want anyone to be able to snoop on the traffic between AT's server and your computer, right?

Summary: We are not doing this out of cheapness or incompetence, but because we simply have no choice! This is unfortunately the way that the system was designed, and nobody is willing to "sign" us. The Web browser warnings are not very accurate in this case. It is "safe" to use the HTTPS version of AT, even with a self-signed certificate. Your data is still as encrypted as with an authority-signed certificate. The certificate is not "broken", but simply not verified by a third party. Just add an exception in your Web browser.