This server is overloaded?

[The Madhatter]

I agree that plain http is better for static non-restricted stuff such as images, css, js, which is perfectly cachable. The main problem is that you can't use http images in https sites without creating browser warnings (the reason for this being insertion/xss attacks). A compromised cached proxy server could insert arbitrary images/css/js (and thus, scripts) into your site. (This could be solved if http supported content signing and checking on import, but that'd require browser and protocol changes)

I know all of this already. You're preaching to the choir.

Eventually security will trump bandwidth and CPU concerns, as people will trust more of their life to internet, and it becomes easier and easier for laymen to sniff plaintext connections and hijack connections (firesheep et al).
You can see it now with gmail, hotmail switching to https. That's only the beginning, many more are on the verge of switching.

Oh sure. Webmail should have always had SSL. I'm surprised they went this long without it. I'm sure that back when Hotmail started the CPU overhead would have killed them. I know this isn't the case now.

SSL is a PITA for content delivery. It just won't fly. If I can't let ISPs cache my content I need 10x the amount of servers. Not to mention my site slows down because the ability for ISPs to cache my content local to a particular geographic region isn't possible.

SSL also doesn't stop MITM/sniffing problems since no browser cares when SSL certs change. Until browsers ship with a plugin like Certificate Patrol (for FF), SSL won't save anyone from these attacks.

Food for thought..

[1714983375]

1714983375

[1714983375]

1714983375

[wumpus]

SSL is a PITA for content delivery. It just won't fly. If I can't let ISPs cache my content I need 10x the amount of servers. Not to mention my site slows down because the ability for ISPs to cache my content local to a particular geographic region isn't possible.

Well, we don't really have ISP-based caching servers here in Europe, and it works OK. Most companies do their own frontend/backend caching.

And for paid content you want security in place anyway. Although my argument was not for youtube-like services. More like forums, communication, chat, mail, identification, etc... The things for which security matters.

SSL also doesn't stop MITM/sniffing problems since no browser cares when SSL certs change. Until browsers ship with a plugin like Certificate Patrol (for FF), SSL won't save anyone from these attacks.

It doesn't stop all attacks but is significantly more secure than plaintext. Nothing ever is fully secure, that is not an argument for lower security, ever!

[The Madhatter]

Well, we don't really have ISP-based caching servers here in Europe, and it works OK. Most companies do their own frontend/backend caching.

Are you sure? Tons of ISPs do transparent caching.

And for paid content you want security in place anyway.

Security != encryption. For paid content (small static files), I'd choose http over https any day. For handling logins/sensitive information I'd use SSL. There is no reason to SSL an entire site. Especially when the content is public anyway.

It doesn't stop all attacks but is significantly more secure than plaintext. Nothing ever is fully secure, that is not an argument for lower security, ever!

That's not what I meant. I was pointing out that SSL isn't a "cure all" for MITM/sniffing attacks. If the browsers got their $hit together when it came to SSL it would be far better than it currently is.

[The Madhatter]

it's way overdue anyway for the entire web to switch to https

Although my argument was not for youtube-like services. More like forums, communication, chat, mail, identification, etc... The things for which security matters.

These two statements are contradictory.

[wumpus]

Yes, it might be. I just remembered that even digital cable TV is encrypted these days.

Even with public files, one does not necessarily want everyone to know he/she is accessing them. And someone that is sniffing can see all http requests, including full path.

You are only reasoning from the side of the service provider, not the side of your customer. In my opinion, there is no reason to not simply encrypt everything. Better be safe than sorry.

[The Madhatter]

Yes, it might be. I just remembered that even digital cable TV is encrypted these days.

Sure. That is their form of access control. They broadcast their streams 24/7 to everyone. (Sometimes even to those who don't need/want the signal.) To prevent theft they scramble all of the content and rent you a box to decode it.

The Internet doesn't work the same way. The Internet has a lot of public content that has no need for encryption (you already mentioned YouTube) and you propose that we encrypt it and make the Internet slower? Why exactly? Just 'because we can'?

Even with public files, one does not necessarily want everyone to know he/she is accessing them. And someone that is sniffing can see all http requests, including full path.

With all of the SSL MITM/sniffing stuff aside, the IP connections can still be logged and the data flows measured. What you are doing can still be assumed. You can still be implicated for connecting to a naughty site, etc.

For example, say you connect to an adult site from work and this site is entirely https. Your boss still knows you were looking at porn on company time. He cares not which individual image or video you downloaded.