Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Doesn't Every Website Use HTTPS?

Posted by CmdrTaco on from the asked-that-more-than-once dept.

suraj.sun writes "HTTPS is more secure, so why isn't the Web using it? You wouldn't write your username and passwords on a postcard and mail it for the world to see, so why are you doing it online? Every time you log in to Twitter, Facebook or any other service that uses a plain HTTP connection that's essentially what you're doing. There is a better way, the secure version of HTTP — HTTPS. But if HTTPS is more secure, why doesn't the entire Web use it?"

5 of 665 comments (clear)

  1. Re:Correct by fuzzyfuzzyfungus · · Score: 5, Informative

    The fact that it can muck up cheap-n-cheerful 'zillion sites on one host' arrangements unless everybody's TLS ducks are in a row probably counts as a fairly significant cost, as well. Especially on the low end.

  2. Re:Correct by isopropanol · · Score: 5, Informative

    Also, HTTPS does not play well with proxy caches or load balancing.

  3. Re:Certificate? by spinkham · · Score: 5, Informative

    Free certs are available, and every bit as (in)secure as the paid standard ssl certs.
    http://cert.startcom.org/

    The "annoying users when they expire" is a symptom of the main problem.

    Well, actually it's 2 problems.
    For small hosters, IE(any version) on XP doesn't support SSL/TLS on virtual hosts. Everybody else does. http://en.wikipedia.org/wiki/Server_Name_Indication

    For large hosters, SSL key distribution and updates becomes a problem when using large server farms or CDNs. Doing SSL in hardware on load balancers solves this for server farms, while CDNs are a more difficult problem.

    Those are the main reasons. Latency and CPU usage are not deal-breakers today, though they are a factor.

    --
    Blessed are the pessimists, for they have made backups.
  4. Re:Haven’t we been here before? by asdf7890 · · Score: 5, Informative

    Isn't SSL done on a per domain name basis?

    No. But yes. Well, probably not quite yet.

    No: The way HTTPS works when the "recent" SNI feature is not available is that the TLS stream is created (including certificates being negotiated and verified) before any hostname information is transferred. This means that you can only have one valid certificate per publicly addressable IP address without SNI.

    But yes: With SNI (see http://en.wikipedia.org/wiki/Server_Name_Indication for info) the hostname is sent earlier, so the server can lookup the right certificate for that name and send it instead of relying on a 1-to-1 mapping between IP addresses and service names.

    Well, probably not quite yet: Unfortunately SNI is not completely supported by all common user agents, particularly any version of Internet Explorer running on Windows XP, so whether you can justify using the feature right now depends a lot on who your target audience are. If you don't have any users browsing your content/app with XP+IE or you don't mind telling such users to upgrade to FF/Chrome/other, upgrade Windows, or just put up with the certificate warnings, then using SNI will work for you. You run the risk of sending XP+IE users away though, which might not be acceptable if your bottom line relies on getting as much traffic as possible through your doors.

  5. Re:Correct by neorush · · Score: 5, Informative

    We use Pound for load balancing which makes requests to the cache servers, works great, very configurable, supports sessions, etc.

    --
    neorush