All 2 million+ pages of website now secured by SSL encryption
By Todd Northrop
As of June 26, 2015, Lottery Post is serving all of its pages over SSL encryption.
Previously, security-critical portions of the website, such as the Log In page and the password change page, were protected by SSL encryption, but the remainder of the site was transmitted over normal, non-encrypted HTTP communications.
To make the transition to all-SSL connections, the website is currently redirecting all non-SSL connections to the SSL-protected version of the site. The result is a lot more privacy for users.
SSL connections are the encrypted communications abilities built into web browsers like Internet Explorer and Google Chrome that allow activities like banking transactions to remain secure. A web user knows their connection is secured by examining the URL (web address) of the website and seeing it begin with "https://".
SSL works in three steps: First, it validates the identity of a website; then, it creates an encrypted connection; finally, it makes sure that the data was sent without an issue.
Lottery Post goes one step further to demonstrate security to its visitors and members by employing an "Extended Validation" (EV) security certificate, which appears as a green color in the web address display of the web browser. An illustration of the appearance of the EV certificate in Google Chrome can be found below.
An EV certificate clearly shows to web visitors that they are visiting the actual page they are trying to reach, and it has not been "hijacked" by a hacker or malware. Lottery Post's EV certificate shows the company name "Speednet Group LLC" — the company that owns and operates the website.
Lottery Post also employs the use of HTTP Strict Transport Security, which is supported in modern web browsers. This technique sends a signal to the web browser, indicating that the website is completely encrypted, and that all future communications with the website should be always directed through an encrypted (SSL) channel. It is a method to prevent hackers from employing a so-called "man-in-the-middle" attack to steal sensitive information passed between the web browser and the Lottery Post website.
Moving Lottery Post to complete encryption was far more difficult than most websites, not only because of the sheer volume of web pages (more than 2 million), but also because of the nature of the content posted by users on the forums and blogs.
Lottery Post members are free to post images on the forums and blogs, and most of those images are hosted on non-secure image hosting services, such as imgur, Photobucket, and other such services. If a secure web page included non-secure images, the web browser would issue warnings to the user and perhaps refuse to display the page at all.
The developer of Lottery Post invented a technique to continue to allow users to publish whatever non-secure images they wish, but when the forum page displays the image, it is automatically re-hosted at a secure Lottery Post service, and transmitted over the same encrypted communications that the rest of the page is transmitted.
In doing so, Lottery Post has dedicated a tremendous allocation of effort and data storage to ensure 100% security to its members and visitors.
When users connect to any website over SSL a network snoop can see that the person is communicating with the website, but the content of their communication with the site is entirely private. That means that even though network operators can see that users are connecting to Lottery Post, they can't see what username they're logged in under or which posts they're submitting to the site.
Major websites have switched over to default encryption in recent weeks, including Wikipedia, Reddit, and all federal websites, driven largely by security concerns. SSL also prevents attackers from injecting malware into an otherwise legitimate data stream, an increasing concern in the wake of the Snowden leaks.
Why this matters: Knowing how expansive online government surveillance is, HTTPS is a critical tool for retaining privacy. It can't stop your ISP from knowing which sites you visit, but it can stop anyone from passively reading your traffic. Privacy isn't the only reason to add HTTPS, however, as HTTPS can help defend against malicious attacks such as session hijacking.
(Click to display full-size in gallery)