Main Area and Open Discussion > Living Room

Http vs Https Universally

<< < (2/4) > >>

x16wda:
If it were free... then that would be a different story.
-wraith808 (May 15, 2015, 05:40 PM)
--- End quote ---

$419 seems excessive when a RapidSSL cert through Servertastic is $15.95. (And I am sure there are less expensive alternatives, but we have used these for years. Actually we buy a block at a time as a "reseller" and that drops the price down to about $10/year.)

Stoic Joker:
What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ... -Stoic Joker (May 16, 2015, 07:42 AM)
--- End quote ---

Take the case we have here in Turkey. The government liberally censors the web, and the next logical step is keeping a log of who reads what. Then I'd be in deep trouble for just reading something like this.

1984 feels very real in this part of the globe. https may delay it for a while, and I'd support that.-eleman (May 16, 2015, 08:15 AM)
--- End quote ---

Yes...and hence part of my usage of the word placebo. The base assertion is that SSL is a knight in shining armor that will Keep Out All "Bad People"... However several curtain peeking events over the last year or so show that this is not entirely true. Because some of  the (er...) "More Equal" animals on this planet have a master key (of sorts) that allows them to get a free pass through the SSL "wall"...that's really more of a screen door...if you just so happen to be a bonafide extra special member of the right boys club.

So to me it's really more if an 80's era cartoon superhero hiding their secret identity metamorphosis behind a small plant...with the plotline based expectation that nobody will notice..

ayryq:
I used shared hosting at bluehost. I'm not at all sure "Let's Encrypt" will be available for shared hosts. To buy a certificate through bluehost, I'd have to have a dedicated IP ($3.99 / month). Then, the cheapest option (no subdomains except for www) is $4.99 / month (from Comodo). To get all subdomains it's $12.42 / month. But I have several different TLDs I use for different things.

So my total cost per year is $47.88 + $59.88 per TLD = $107.76/year for one domain with no subdomains. This is substantially more than the cost of hosting.

And as Stoic Joker points out, it's not at all certain that SSL really would stop a malicious government, for example.

Innuendo:
That's like encrypting all the billboards on the side of the highway so people have to get and be wearing very special - and very expensive - glasses to be able to read your advertisement messages.-Stoic Joker (May 16, 2015, 07:42 AM)
--- End quote ---

This is the perfect analogy. Cyber-attacks have a huge presence in the media & the public eye right now. This places them square in the middle of the narrow tunnel vision of CEOs worldwide. Unfortunately, these people have no idea what's involved in competent cyber-security. All they know is that HTTPS keeps their banking and credit card information safe. Therefore.....<wait for it>....if HTTPS is used on every web site than every web site will be safe!!!! Suck on that, ISIS!!!!

I use humor to illustrate a point, but it's a valid point, nonetheless. HTTPS is a very powerful tool and it has many awesome uses, but forcing its implementation on every web site is not an awesome use.

SeraphimLabs:
There's actually two even bigger problems with https than just the cost of getting certs. Also I use self-signed certificates for most of my stuff, which provide the same encryption bonus free of charge. Tradeoff is you then no longer can be sure of what server you are talking to unless you've made your own certificate authority and have traceability to your own root certificates.

The first is IPv4 depletion. SSL only allows one site per IP, and sites with it have always had an additional overhead cost in provisioning the dedicated IPv4 required to make it work. IPv6 would help mitigate this, but all too many ISPs are behind the times and haven't even looked at IPv6 rollout on their networks. After all IPv4 is still working, why should they spend their precious profits installing new IPv6 capable infrastructure when its not broken yet.

The second is caching, which really helps keep the internet bandwidth-efficient especially in the Americas where people are still using Dialup here in 2015. By definition, https cannot be cached because that would require the proxy to be able to decrypt the content in order to make the decision of if it should keep it or not. And a properly functioning encryption the data will change each time the page loads, completely defeating any possibility of caching it without having to trust the proxy with unencrypted data. Browsers will do some caching though, but a lot less of it is possible on https.

Navigation

[0] Message Index

[#] Next page

[*] Previous page