Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The Cookie Tools v0.3 -- first public release

From: Jason <security () brvenik com>
Date: Mon, 10 Dec 2007 23:00:03 -0500


Andrew Farmer wrote:

On 10 Dec 07, at 05:45, michele dallachiesa wrote:

why HTTPS is not the default in this type of services? this is a big
silent hole. maybe, today is less silent :)


The short version is "because hosting things with SSL is still hard".

There's a few things which are significantly holding back the move to  
SSL web servers. They include:

* Every domain hosted with SSL must have a dedicated IP address. This  
basically rules out any form of shared hosting.


Did I miss something that makes SSL require a static IP? Do you mean to
say that it is difficult to virtually host a site on a shared server
without a static IP because you have no way to know what certificate to
present to the browser?

If you are dealing with anything that really warrants SSL you should not
be utilizing virtual hosting on a shared server in the first place.



* SSL certificates don't come cheap. $50 seems like the low end right  
now, and the really big names (like Verisign or Thawte) charge several  
times that.


You are paying for a basic trust, not for crypto. You can easily self
sign and have SSL all day long.



* Many common load-balancing products only work with unencrypted HTTP.  
Furthermore, SSL places a much higher load on the server.


How is that preventing the adoption of SSL? It is fairly trivial to
accelerate and terminate SSL and then to load balance behind the
termination point. OSS proxy software is readily available as are PCI
accelerator cards. A single box load balancer for a few thousand would
support any moderately sized business well.



Some of these things are set to change - for example, SNI is set to  
fix the first one. However, it's only just becoming available; it'll  
be a while before it can be relied on in production systems.


Corporations handling personal or financial data should have no need for
SNI. Everyone else really shouldn't care or should have the means to do
so safely.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: