Open Data Security: How we transparently enabled HTTPS for all our customers and users - OpenDataSoft

"MAKING OPEN DATA SECURITY A PRIORITY

1. HTTPS protects everyone’s privacy
2. All OpenDataSoft portals have been HTTPS-protected since the end of 2016
3. OpenDataSoft customers using their own DNS are protected too, free of charge, thanks to Let’s Encrypt

In today’s world, security and privacy on the internet are under constant assault. Cryptography has become the best way to ensure communication integrity, security and confidentiality, and its adoption accelerated in 2016: 18.4% of the Alexa top million sites load via HTTPS in February 2017, compared to only 8.4% in February 2016. Security has become a number one priority for most Internet actors, to a point where Google has begun to favor HTTPS sites by ranking them better in the search results, and flagging non-HTTPS pages as non-secure in its Chrome browser.

The entire OpenDataSoft platform has supported HTTPS access ever since its creation, and now loads content via HTTPS by default since late 2016. Recent development efforts have made HTTPS activation completely automatic and effortless for OpenDataSoft customers, enhancing security for everyone.

[...]

HTTPS is just the SSL-protected version of HTTP. HTTP is a standard protocol to access any information on the world-wide web. SSL, meaning Secure Sockets Layer, encapsulates every HTTPS request in an encrypted layer.

HTTPS BENEFIT #1 – PRIVACY

HTTPS protects the communication between the client (your browser) and the web site (the server) against passive eavesdropping. Massively cracking strong SSL encryption is today still out of reach even of most powerful governments.

HTTPS BENEFIT #2 – SECURITY

HTTPS makes sure you are talking to the real site server, and not someone else impersonating it. This is known as a ‘man-in-the-middle’ attack, and is routinely performed by governments and corporations.

HTTPS BENEFIT #3 – INTEGRITY

HTTPS makes sure you receive the information as the server sent it, and has not been tampered with on the way. This would be a ‘man-in-the-middle’ attack as well.

[...]

The main concept in SSL is public-key encryption, also called asymmetric encryption. Everyone gets a couple of keys: one public, one private. The public key is given to everyone, while the private key is kept secret. For example, in the popular RSA cryptosystem, the private key is a couple of large prime numbers, and the public key is their product.

Public key cryptosystems have two main applications.

• Encryption: anyone can encrypt a message using my public key, that only I can decrypt, using my secret private key.
• Authentication: I can publish an encrypted message using my private key, and anyone can check that I’m the only one who could have sent it.

This last property is incredibly useful as signature. A message with a signature generated with my private key cannot be forged, as my private key is required to make the signature."