« Reading List: Pleins feux sur. . . Columbo | Main | Reading List: 1968 : The Year That Rocked the World »

Sunday, April 16, 2006

HotBits: Secure Requests Now Available

The HotBits server has been providing random data, generated by radioactive decay, to all comers for almost a decade (it opened to the public in June of 1996). HotBits has even attracted modest press attention, with write-ups in The New York Times and, most recently, Science News. One constraint on the use of HotBits for security applications (for example, generating encryption keys or passwords) has been that the random data were returned to the requester in the clear and hence at risk of interception by a scoundrel snooping on the network connection between the user and the HotBits server.

To reduce this vulnerability, requests for HotBits may now be sent via the https: encrypted protocol with results returned the same way. The user's confidence that the request has, in fact, been processed by the Fourmilab HotBits server can be reinforced by verifying the secure server's certificate, issued by Thawte, a root certificate authority which most Web browsers consider trusted by default. To request HotBits from the secure server, use the new Secure HotBits Request page, which is XHTML 1.0 and CSS 2.1 compliant, and contains an icon which confirms the validity of the Fourmilab certificate and may be clicked to verify it. The request page is not usually delivered in secure mode (because it contains no sensitive information), but the requests it sends to the HotBits server and the data returned by them are encrypted, as the security icon in your browser will indicate.

While the secure request form has been upgraded to strict XHTML compliance, the HTML result returned from the HotBits server is unchanged (apart from being returned via the secure HTTPS protocol) classic HTML 1.0. A number of programs and subroutine libraries request HotBits data and parse the results programmatically, and changing the format of the data returned runs the risk of torpedoing these applications for no benefit other than purity of essence. Consequently, I have no intention of changing the HotBits results format in the foreseeable future.

Yes, I am aware that HTTPS/TLS/SSL encryption is not perfectly secure, nor are site certificates an absolute guarantee of the identity of the site to whom a user is submitting a request. This is the Real World, in which nothing is ever completely certain (you may be dreaming you're reading this, on a computer screen you're hallucinating due to neural stimulation by tendrils grown into your visual cortex by the alien mutant vegetable you ate for dinner). There is no positive finite number whose reciprocal does not exceed my interest in debating such matters.

Posted at April 16, 2006 00:23