Linked by Thom Holwerda on Thu 4th Jul 2013 12:33 UTC, submitted by twitterfire
In the News "Internet users worried about their personal information being intercepted by U.S. intelligence agencies should stop using websites that send data to the United States, Germany's top security official said Wednesday." Cute, but pointless. France does it too, as does the UK. Documents from the Dutch intelligence agencies indicate that they, too, are involved in mass surveillance, the extent of which will supposedly be investigated by parliament.
Thread beginning with comment 566256
To read all comments associated with this story, please click here.
Comment by aligatro
by aligatro on Thu 4th Jul 2013 17:22 UTC
aligatro
Member since:
2010-01-28

Encrypt your internets! But , seriously, why isn't every website using SSL encryption by default? Yes, it takes extra cpu power, but this is not the 90s anymore and servers nowadays can easily handle the extra weight.

Reply Score: 4

RE: Comment by aligatro
by pepa on Thu 4th Jul 2013 17:29 in reply to "Comment by aligatro"
pepa Member since:
2005-07-08

Is it the cost and hassle of the necessary certificate?

Reply Parent Score: 2

RE[2]: Comment by aligatro
by aligatro on Thu 4th Jul 2013 18:19 in reply to "RE: Comment by aligatro"
aligatro Member since:
2010-01-28

I doubt any small to big companies would not be able to spend $40 on a certificate for a year.

Reply Parent Score: 3

RE: Comment by aligatro
by kurkosdr on Thu 4th Jul 2013 18:15 in reply to "Comment by aligatro"
kurkosdr Member since:
2011-04-11

But , seriously, why isn't every website using SSL encryption by default?


Because the data will be decrypted by the other end? (Google, Skype etc) The solution would be a user to user encryption protocol, not user to service (like SSL). So all Google sees is a bunch of garbled characters There should be an open source project for that.

Reply Parent Score: 4

RE[2]: Comment by aligatro
by aligatro on Thu 4th Jul 2013 19:32 in reply to "RE: Comment by aligatro"
aligatro Member since:
2010-01-28

True, but not all companies bent over and just gave access to our personal information. If both sides are encrypted then government should only see encrypted packets if the company is in another country or refusing to work with PRISM.

Edited 2013-07-04 19:35 UTC

Reply Parent Score: 3

RE: Comment by aligatro
by Soulbender on Thu 4th Jul 2013 18:20 in reply to "Comment by aligatro"
Soulbender Member since:
2005-08-18

But , seriously, why isn't every website using SSL encryption by default?


if the company you talk to is involved then using SSL doesn't matter. If we then also presumes that at least some of the certificate authorities are also involved SSL becomes almost meaningless (for keeping your stuff from Big Brother).

Reply Parent Score: 4

RE: Comment by aligatro
by Lennie on Thu 4th Jul 2013 18:33 in reply to "Comment by aligatro"
Lennie Member since:
2007-09-22

You might think it's easy, CPU time isn't the issue here. There are other issues.

Because:

1.IP-addresses:
HTTP can run multiple websites on the same IP-address "Virtual hosting" it's called. HTTPS has SNI to do the same, but it isn't supported by any version of IE (and Safari) on Windows XP and default browser on Android 2.x. So SNI hasn't seen wide spread deployment because it doesn't work with those older browsers/operating systems.

Thus each new HTTPS-site need a sperate IP-address this also is an administrative and deployment burden which cost money.

This might get worse because IPv6 did not get deployed. And the price of IPv4 will rise.

2. certificate expiration, certificates need to be renewed each year or every few years this takes effort, effort costs money/time. Can't always be automated, because it usually happends by sending email to the domain holder (owner).

That could be solved by using self signed certificates, but no browser can trust them. If you don't know who you are talking to, you can encrypt whatever you like, but security it is not.

3. no secure mechanism to deploy self signed certificates. DNSSEC* with DANE could solve this, but no browser currently supports this.

Because deploying DNSSEC to client machines (the device that runs a browser) is currently problematic.

There are lots of issues, a simple example is that DSL-routers are broken and don't allow large DNS packets and there are lots of other similar issues.

4. lots of website include content from other sites, when you include content from the other site on your HTTPS-website. The other site needs to use HTTPS as well.

5. CDN-support for HTTPS is complicated and expensive

___

HTTP 2.0 might also be a possible solution to the self-signed certificate problem.

HTTP 2.0 will always use encryption certificates, but only display a lock-icon in the bar if it encounters a certificate it can validate.

* DNSSEC uses signed DNS answers, DNS is what is used for looking up domainnames.

Edited 2013-07-04 18:44 UTC

Reply Parent Score: 4