SSL encryption .... necessary or not?

[Leighton Marjoram]

Hi this is my first post and have been wondering ... on my websites when people buy or send personal information on my sites they are directed to a webpage with HTTPS?SSL encryption that stops information being sent between the client and the server in plain text (and being readable in transit). Is this a needed in Kitely Worlds when chat is used in world. Excuse the newbie tone but thats exactly what I am. The reason I ask is that I hope to use my regions as a place to meet therapy clients, supervisors and students and I need to keep their information in transit secure ... Any advise or information would be greatly appreciated. If further information please ask.

Leighton

[Ilan Tochner]

Welcome to Kitely Leighton

Kitely uses encrypted communications in various parts of its web-based control panel but inworld chat is not encrypted.

That said, it is safer from eavesdropping than using regular email which is transferred between multiple servers in plain text and may be stored unencrypted on those servers for an indefinite amount of time.

If you're allowed to use unencrypted emails when communicating with your therapy clients then you should be fine using inworld chat. Please note that HTTPS/SSL only encrypt the email between your email client and the email server it is connected to, they don't encrypt the email while it is stored on that server or transferred between servers. To get end-to-end protection you would need to use something like PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy) to encrypt your emails.

[Leighton Marjoram]

thank you for your reply it was very helpful, I currently use Google apps for my emails (With HTTPS always), i was wondering if you could answer a question about google https is this encrypted securely? or would a service like Hushmail be more suitable, as I also have email accounts with them but not heard of PGP before so i may not have been using the highest level of encryption.

Leighton

[Ilan Tochner]

Hi Leigthon,

When using HTTPS with Google Apps you get encryption from your end to the Google Servers but your communications with your clients aren't encrypted end-to-end, i.e. they are transferred and stored in plaintext when traveling between email servers. I'm not familiar enough with Hushmail but please note that if you want the highest level of protection you'd want to use software that encrypts communication on your computer, transfers it in encrypted form to your customers and only decrypts it on their computer. To my understanding, Skype does that. See: https://support.skype.com/en/faq/FA31/d ... encryption

[ShowStopper Eclipse]

From what I understand Hushmail is very effective when it comes to encryption and privacy. But only if both parties are using Hushmail.

[Leighton Marjoram]

Hi Illan and Showstopper, thank you for your replies I recommend that my clients also use hushmail and state that a remedy exists to encryption of communication and that hushmail is used by the client. With that said, it is essentially up to them (with all the information that I provide and the solution I recommend but not endorse beyond the claims of hushmail themselves) how they chose to communicate knowing the risks of communicating 'sensitive' information of any kind over the internet without encryption, depending also of the type of service they access textual, video/text chat and in-world services all have strengths, limits and issues about confidentiality and privacy. In a world on kitely set to private how secure is the communication between me and my visitors in Kitely worlds?

[Constance Peregrine]

Hi Illan and Showstopper, thank you for your replies I recommend that my clients also use hushmail and state that a remedy exists to encryption of communication and that hushmail is used by the client. With that said, it is essentially up to them (with all the information that I provide and the solution I recommend but not endorse beyond the claims of hushmail themselves) how they chose to communicate knowing the risks of communicating 'sensitive' information of any kind over the internet without encryption, depending also of the type of service they access textual, video/text chat and in-world services all have strengths, limits and issues about confidentiality and privacy. In a world on kitely set to private how secure is the communication between me and my visitors in Kitely worlds?

Let me add [since i can't keep my mouth shut it seems]

That unlike with grids where regions are interconnected, if you set your region here to no public access, other than the grid admins, nobody can get there but who you allow and nobody can see what is said...

[Leighton Marjoram]

Hi Leighton,

Let me start by stating that Kitely has not attempted to receive HIPAA Certification so you shouldn't assume it is HIPPA compliant.

A world that is set to private access doesn't enable unauthorized people to access it. There are two distinct ways for you to communicate inworld via text messages. Inworld "local" chat and direct IMs between avatars.

Direct IMs may get sent to a centralized OpenSim grid server or get forwarded by unencrypted email to offline users. We don't retain a record of them and it is unlikely that anyone would succeed in getting to your chat messages but, if you wish to have maximum level of privacy protection, then you will want to avoid using them.

Inworld chat doesn't get transferred to other servers and won't be forwarded by emails so is more private in that regard. That said this isn't an encrypted channel so if HIPPA compliance is a requirement you would want to avoid this channel as well.

One option I can suggest is that you meet inside Kitely and use Skype running in the background for encrypted voice and file transfer. This way you'll be able to have an immersive experience but all personal data exchanges will be done on a secure channel that is encrypted end-to-end.