Http vs Https Universally

[wraith808]

Interesting blog post on Techdirt: https://www.techdirt...-not-bad-thing.shtml

My problem is the added expense.  I'm only running a few free sites.  I do host for some people, and they have https as they want.  But as for me, if all I'm doing is serving random content with closer to zero people looking at it than I'd like to think, why do I need to pay extra because it's a 'good idea'?

Can anyone answer me this question?

And is Mozilla's move to deprecate http in its browser a wielding of power?  Or a genuine thing that needs to be done?  And Chrome's move isn't *much* better.

And just for an alternate view - a well written article from Ben Klemens: https://medium.com/@...-an-era-c106acded474

I just don't see it, in all honesty.  If it were free... then that would be a different story.  There's the Let's Encrypt initiative... but until it arrives, I don't believe it.

[ayryq]

I found techdirt through the list here on DC and often find interesting articles there. This one had some good points that I hadn't thought of. I have quite a few https sites that "seem" broken because the domain (mine) doesn't match the certificate (box-something-or-other.bluehost.com). I'm with you, though, I'm serving random content to basically myself, so why bother? Although it would be nice when I set up an email client, I only have to click "remember this exception" once.

I'm a nerd, though, so if it's free, I'll probably do it. But free is exactly how much it is worth to me to have a REAL certificate. Not $419 for sure!

[Deozaan]

If you're serving it to yourself, SSH/SFTP/SCP into your server.

[Stoic Joker]

My problem is the added expense. I'm only running a few free sites.

-wraith808 (May 15, 2015, 05:40 PM)

Me to, and I include the added resource requirements for all the (IMO unnecessary) encrypting as everything is getting stuffed up the wire.

But as for me, if all I'm doing is serving random content with closer to zero people looking at it than I'd like to think, why do I need to pay extra because it's a 'good idea'?

-wraith808 (May 15, 2015, 05:40 PM)

Amen to that! ...What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ... So it would be an idiotic waste of effort to break into a stream of data that you could much easier just go read on your own. That's like encrypting all the billboards on the side of the highway so people have to get and be wearing very special - and very expensive - glasses to be able to read your advertisement messages. WTF is the point? ...Complexity for the sake of itself?? A placebo level of reassurance that people are then "protected" from an academic exorcise that nobody in their right mind is dumb enough to bother with?


It's been said there is a time and place for everything...and I do believe that to be true. But encrypting everything, everywhere, and at all times is just paranoia to the absurd. These hyper paranoid pundits need to unplug, crawl out of their basements, and reacquaint themselves with how interaction with a real person actually works.

[eleman]

What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ...

-Stoic Joker (May 16, 2015, 07:42 AM)

Take the case we have here in Turkey. The government liberally censors the web, and the next logical step is keeping a log of who reads what. Then I'd be in deep trouble for just reading something like this.

1984 feels very real in this part of the globe. https may delay it for a while, and I'd support that.

[x16wda]

If it were free... then that would be a different story.

-wraith808 (May 15, 2015, 05:40 PM)

$419 seems excessive when a RapidSSL cert through Servertastic is $15.95. (And I am sure there are less expensive alternatives, but we have used these for years. Actually we buy a block at a time as a "reseller" and that drops the price down to about $10/year.)

[Stoic Joker]

What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ...

-Stoic Joker (May 16, 2015, 07:42 AM)

Take the case we have here in Turkey. The government liberally censors the web, and the next logical step is keeping a log of who reads what. Then I'd be in deep trouble for just reading something like this.

1984 feels very real in this part of the globe. https may delay it for a while, and I'd support that.

-eleman (May 16, 2015, 08:15 AM)

Yes...and hence part of my usage of the word placebo. The base assertion is that SSL is a knight in shining armor that will Keep Out All "Bad People"... However several curtain peeking events over the last year or so show that this is not entirely true. Because some of  the (er...) "More Equal" animals on this planet have a master key (of sorts) that allows them to get a free pass through the SSL "wall"...that's really more of a screen door...if you just so happen to be a bonafide extra special member of the right boys club.

So to me it's really more if an 80's era cartoon superhero hiding their secret identity metamorphosis behind a small plant...with the plotline based expectation that nobody will notice..

[ayryq]

I used shared hosting at bluehost. I'm not at all sure "Let's Encrypt" will be available for shared hosts. To buy a certificate through bluehost, I'd have to have a dedicated IP ($3.99 / month). Then, the cheapest option (no subdomains except for www) is $4.99 / month (from Comodo). To get all subdomains it's $12.42 / month. But I have several different TLDs I use for different things.

So my total cost per year is $47.88 + $59.88 per TLD = $107.76/year for one domain with no subdomains. This is substantially more than the cost of hosting.

And as Stoic Joker points out, it's not at all certain that SSL really would stop a malicious government, for example.

[Innuendo]

That's like encrypting all the billboards on the side of the highway so people have to get and be wearing very special - and very expensive - glasses to be able to read your advertisement messages.

-Stoic Joker (May 16, 2015, 07:42 AM)

This is the perfect analogy. Cyber-attacks have a huge presence in the media & the public eye right now. This places them square in the middle of the narrow tunnel vision of CEOs worldwide. Unfortunately, these people have no idea what's involved in competent cyber-security. All they know is that HTTPS keeps their banking and credit card information safe. Therefore.....<wait for it>....if HTTPS is used on every web site than every web site will be safe!!!! Suck on that, ISIS!!!!

I use humor to illustrate a point, but it's a valid point, nonetheless. HTTPS is a very powerful tool and it has many awesome uses, but forcing its implementation on every web site is not an awesome use.

[SeraphimLabs]

There's actually two even bigger problems with https than just the cost of getting certs. Also I use self-signed certificates for most of my stuff, which provide the same encryption bonus free of charge. Tradeoff is you then no longer can be sure of what server you are talking to unless you've made your own certificate authority and have traceability to your own root certificates.

The first is IPv4 depletion. SSL only allows one site per IP, and sites with it have always had an additional overhead cost in provisioning the dedicated IPv4 required to make it work. IPv6 would help mitigate this, but all too many ISPs are behind the times and haven't even looked at IPv6 rollout on their networks. After all IPv4 is still working, why should they spend their precious profits installing new IPv6 capable infrastructure when its not broken yet.

The second is caching, which really helps keep the internet bandwidth-efficient especially in the Americas where people are still using Dialup here in 2015. By definition, https cannot be cached because that would require the proxy to be able to decrypt the content in order to make the decision of if it should keep it or not. And a properly functioning encryption the data will change each time the page loads, completely defeating any possibility of caching it without having to trust the proxy with unencrypted data. Browsers will do some caching though, but a lot less of it is possible on https.

[Deozaan]

I just don't see it, in all honesty.  If it were free... then that would be a different story.  There's the Let's Encrypt initiative... but until it arrives, I don't believe it.

-wraith808 (May 15, 2015, 05:40 PM)

It's here. Believe it.

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
• Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
• Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
• Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
• Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
• Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

-https://letsencrypt.org/about/

[Vurbal]

The bottom line is that certificate based security is only as trustworthy as the companies responsible for the certificates. Companies generally, large companies in particular, and large security companies especially, are ultimately vulnerable to the whims of government actors. Look at how effective the NSA has been at undermining security standards without even bothering with bringing the coercive power of the government to bear.

I'm not saying that I don't use HTTPS everywhere possible, but I understand that it's like putting a band aid on a sucking chest wound. It addresses a handful of problems, but leaves the underlying issue untreated. I don't know what the solution is, but I'm absolutely sure it will involve a complete paradigm shift in how we handle trust relationships.

[f0dder]

Amen to that! ...What "problem" are "we" trying to solve here?? MITM attacks...on what exactly?? It's publically available content ... So it would be an idiotic waste of effort to break into a stream of data that you could much easier just go read on your own. That's like encrypting all the billboards on the side of the highway so people have to get and be wearing very special - and very expensive - glasses to be able to read your advertisement messages. WTF is the point? ...Complexity for the sake of itself?? A placebo level of reassurance that people are then "protected" from an academic exorcise that nobody in their right mind is dumb enough to bother with?

-Stoic Joker (May 16, 2015, 07:42 AM)

The point in encrypting everything is that encrypted traffic doesn't stand out - it's an act of solidarity. It makes dragnetting and mass-bruteforce-decryption harder.

Now, the whole CA system is massively broken, so yeah, nation states and sufficiently funded rogue actors won't have trouble getting a cert so they can pose as you - that can be detected client-side, though, by checking certificate fingerprints (and yes, it's problematic that certificates are usually generated by CAs - there's no guarantees they don't keep a copy of the private key part). But at least it's theoretically possible to guard against rogue certs, and I do use Certificate Patrol myself. It generates a lot of noise for regular web browsing, though.

Also, while it's easy enough for the big bad players to get an impersonating certificate, this will not allow them to decrypt past communications.

[wraith808]

The point in encrypting everything is that encrypted traffic doesn't stand out - it's an act of solidarity. It makes dragnetting and mass-bruteforce-decryption harder.

-f0dder (February 20, 2016, 12:38 PM)

So I'm supposed to put out a not-insignificant amount of money as an act of solidarity?  Good luck with that one.

Once this letsencrypt gets a bit easier to use, I'll probably do it then.  But not before.

[rgdot]

On letsencrypt, more and more hosts are adding it and using cpanel it is easier now but the problem is having non https external links and content on your site. It could potentially be lots of work after adding letsencrypt on an established site.

[f0dder]

So I'm supposed to put out a not-insignificant amount of money as an act of solidarity?  Good luck with that one.

Once this letsencrypt gets a bit easier to use, I'll probably do it then.  But not before.

-wraith808 (February 20, 2016, 12:53 PM)

You've been able to get free certificates for quite a while, like StartSSL. While I probably wouldn't use that for anything sensitive, it's perfectly fine for solidarity. And the cost of computing resources of SSL has been neglicible for at least half a decade.

Of course you might be on a hosting provider that charges a premium for checking a checkbox. In that case, the burden might be too much for you - but you might also consider it an incentive for shopping around for competitive prices; chances are you haven't looked at that for a while.