Are http: sites with these features safe?

Question

I have found a beautiful website for playing chess online with a human opponent. There are no ads. You are not asked to pay anything. You submit no personal information. The only thing the site knows is your web address and a unique identifier pertaining to this particular chess match. The site is called PlainChess. It is accessed only with an HTTP URL. Which makes me wonder whether it is safe.

It has the following characteristics:

• You enter the URL (http://plainchess.timwoelfle.de) and up pops the entry page, which looks like this:

  

• The person playing White enters a unique string identifying this game, such as

  Bob_2020-04-04-2131hrs  
  

• The person playing Black at another location must enter the exact same string.

• Up pops a chess board on the screens of both players:

  

From here on, the only additional information transmitted by a player to the website is the instruction to move a chess piece to a particular location on the board. The website then transmits to both players an image of what the board looks like after the move is made.

My questions are:

1. Can a hacker extract any useful information from the flow of data between players and website? All the hacker can extract presumably are the web addresses of the players and useless material on chess moves? Can this be used for bad purposes?
2. Can a hacker insert insidious code to the website to hijack the game... For example, code that inserts an ad, or causes a jump to another website, or invisibly sends a virus to the players? (I would guess that the answer to this question will depend on what steps the website programmer has taken to stop this from happening.)
3. Am I right in thinking that a hacker can always insert malicious code if they can impersonate the site's programmer, but that there are steps the programmer can take to make this very difficult?
4. Is it possible for the designer of the website to transmit invisible malware to your computer, that may be hostile, that Opera will not flag? I suspect the answer is yes, easy peasy. If yes, then one has to trust the designer. In this particular case, I do.

Answer 1

There is a lot involved in HTTPS vs HTTP, but essentially HTTPS means that the site uses SSL encryption to encrypt data when it's being sent from A to B.

That is the one true constant about HTTPS is that the transmittance of data is encrypted. Meaning that there is an extra layer of protection against anyone trying to intercept the data transfer. I bold the extra layer of protection because it should be understood that nothing is completely unhackable or foolproof, there can only be additional layers of protection.

HTTPS does not guarantee that interception cannot happen, it just makes it more difficult for it to happen.

[a] To answer this question I would have to know what your definition of useful is. All websites can tell:

• which fonts you have installed on your computer
• depending on the program they can tell if you have a program installed (for example they can check for Adobe, Google Chrome, etc.)
• Which sites you've visited recently

There's an entire plethora of information that websites have free range to see if they so choose. Here's a website that lists them and gives examples: http://browserspy.dk/accept.php

To most people this is not "useful" information, but if you sell data to advertising companies then all of this information is dollar signs.

Also, this information doesn't depend on HTTP or HTTPS, this is just information that any website can get because it's usually innoculous.

[b] To change the code of the website a hacker would need to hack into the server from which the website is hosted. This is independent of HTTPS/HTTP; it entirely depends on how secure the website host has their server set up. Furthermore, if the website calls on other websites/APIs then the source of those websites could also be hacked and then when the website's completely safe server calls on the API it will now serve you the modified version. Essentially the strength of a chain is its weakest link, but in this case in order to weaken the link you need access to the source server, which HTTPS doesn't change.

[c] I think my answer to question b pretty much covers this, the prevention of insertion of malicious code is dependent on the security of the servers that host the website and any dependent code. So yes there are measures to prevent this, but they are done on the server level, not from in your browser.

[d] Yes, you can get malware by simply visiting a website and never clicking anything. These are usually exploit kits. Preventative measures are taken by your browser, your antivirus, etc. to counteract these, but nothing is perfect. As malware evolves to be more infectious browsers evolve to protect against this, which in turn makes malware evolve to be more infectious and the cycle continues. Theoretically this cycle will never stop and the best way to protect yourself is by keeping everything up-to-date so that the newest security definitions are in place.

---

To sum it up, privacy on the internet is pretty much a lie; but that's a pessimistic view: most of the data that's being collected about you isn't sensitive. Do you really care if a chess website gathers the list of fonts on your computer and sells it? That decision is up to you. Some people don't care because it's not sensitive information, but for some people the fact that information that belongs to you is being sold for someone else's profit without your consent is a huge issue.

For the most part it is sensitive information that you care about. If you are entering card information into a website then HTTPS is definitely something to pay attention to. When playing chess, not as big of one.

It all boils down to trust. You have to choose whether or not you trust this website. But you have to make that decision for every website.