25th March 2017
ASR league goes RSA-4096 SSL… for highest privacy + IT security of its league members
From beginning, since the ASR Team overtook the ASR – Advanced Study Room and the ASR league end of June 2016 it was (and still is) the target to make all the online platforms (website + league system + forum) as secure as possible.
To give an idea about what we have to take care for: Actually the WordPress system – which is being used for running the website and forum – notices (illegal) attacks in the size of ~43,900 per year / 120 per day… steadily increasing, ~220% plus in last seven (7) months. Mostly done by illegal login and malicious registration attempts.
The whole ASR server under the host addresses http://www.advancedstudyroom.org + http://advancedstudyroom.org is reconfigured to be protected by new SSL Certificate for secure connections between browser and web server. The former RSA-2048 SSL Certificate (B rating) is replaced by a new SSL Certificate with RSA-4096 bit key (key size n*8+1). It has the highest A rating.
Such certificate fulfills two important functions:
- It authenticates the identity of the website (this guarantees visitors that they’re not on a bogus site)
- It encrypts the data that’s being transmitted
Specifically 2.) is relevant that our league members can’t be spied out, e.g. being tracked from outside how they move around on the website, to keep their login and registration data confidentially, to ensure a trustworthy communication with the ASR team (e.g. using the contact page), to communicate safely between the ASR league members on the ASR website (in the ASR forum, via pm (private message) or chat).
The strength of SSL certificates depend on the bit length of its public key. ASR’s new certificate uses the level of RSA-4096… with 256-bit encryption in the operating system and for web browsers (see extract of the SSL test report on 26th March 2017). RSA-4096 for high-security environments (e.g. banks, governments) has 1,234 decimal digits / 4,096 bits (Rec.: RSA-2048 for personally-identifiable information and signing has 617 decimal digits / 2,048 bits).
It will depend on the frequency of donations by our > 465 league members if we can invest into SSL certifications of higher security levels by CAA (Certification Authority Authorization). High quality commercial certificates (e.g. by Symantec) are in the range of ~1,400 US dollars / year. – IT security and data protection is heavily costly.
How to handle SSL as user ?
It is very simple to visit a web server which is SSL certified. Just replace the regular domain http://www.advan… with https://www.advancedstudyroom.org . Some browsers, e.g. Mozilla Firefox indicate the trust-worthy visit and SSL certificate by flagging with a “green locker”.
It has a historical reason, that some pages and posts are indicated as “unsafe”… as the website used (and still uses) a mixed content of data which are stored on the web server + external data (e.g. images / graphics stored for caching and speeding up the website on external servers). For the volunteers who run the ASR project its impossible to re-edit manually more than 600 posts and pages (from 2010-2016). – But there is no reason to worry. As the SSL Certificate is constantly valid being updated automatically and periodically (every three (3) months).
Some very few features on the ASR website are out of function if a visitor uses the SSL certified links/login, because “SSL” does not allow a mix of ssl-proofed content (source: http://www. …) and insecure content (source: http://www. …), e.g. the player’s game archive + SGF viewer on the “personalized profile page” because of its non-ssl based “short code” isn’t visible for now. We are working on a solution (re-programming) next weeks to get it back asap.
If you like to use it, you still can login the “old way” without SSL. We recommend not to do so (for now), as you still can use your external game archive on the GO server KGS. Its more important to take the safe route by login via SSL-encrypted account.
Future perspectives based on SSL …
The ASR Team has tested during last months internally (as “alpha test”) different tools, e.g. for “game planning” to keep the player’s time more efficient independently from time and place. Such tools will be available for our players on the ASR website, after safe login very soon. – With the newest SSL Certificate actually we are looking for Beta Testers now as we like to offer a full functional test environment (using SSL).
For “online payment” and safe donations directly on the ASR website without leaving it the SSL certificate will be very relevant, too. The ASR Team can start now with new “alpha tests”. Meanwhile the donors can use further on the safe payment via PayPal.
Following SSL test protocol by trust-worthy third party Qualys Inc. and its SSL Labs Vulnerability Scanner (test date: 26th March 2017) documents the web domain validation and highly strength of encryption. – Enjoy your safe surf on the ASR web site !
SSL Test Report with ‘A rating’ on 26/03/2017 (see old report of 06/11/2016 here):