Linked by Thom Holwerda on Thu 4th Jul 2013 12:33 UTC, submitted by twitterfire
In the News "Internet users worried about their personal information being intercepted by U.S. intelligence agencies should stop using websites that send data to the United States, Germany's top security official said Wednesday." Cute, but pointless. France does it too, as does the UK. Documents from the Dutch intelligence agencies indicate that they, too, are involved in mass surveillance, the extent of which will supposedly be investigated by parliament.
Thread beginning with comment 566269
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by aligatro
by Lennie on Thu 4th Jul 2013 18:33 UTC in reply to "Comment by aligatro"
Lennie
Member since:
2007-09-22

You might think it's easy, CPU time isn't the issue here. There are other issues.

Because:

1.IP-addresses:
HTTP can run multiple websites on the same IP-address "Virtual hosting" it's called. HTTPS has SNI to do the same, but it isn't supported by any version of IE (and Safari) on Windows XP and default browser on Android 2.x. So SNI hasn't seen wide spread deployment because it doesn't work with those older browsers/operating systems.

Thus each new HTTPS-site need a sperate IP-address this also is an administrative and deployment burden which cost money.

This might get worse because IPv6 did not get deployed. And the price of IPv4 will rise.

2. certificate expiration, certificates need to be renewed each year or every few years this takes effort, effort costs money/time. Can't always be automated, because it usually happends by sending email to the domain holder (owner).

That could be solved by using self signed certificates, but no browser can trust them. If you don't know who you are talking to, you can encrypt whatever you like, but security it is not.

3. no secure mechanism to deploy self signed certificates. DNSSEC* with DANE could solve this, but no browser currently supports this.

Because deploying DNSSEC to client machines (the device that runs a browser) is currently problematic.

There are lots of issues, a simple example is that DSL-routers are broken and don't allow large DNS packets and there are lots of other similar issues.

4. lots of website include content from other sites, when you include content from the other site on your HTTPS-website. The other site needs to use HTTPS as well.

5. CDN-support for HTTPS is complicated and expensive

___

HTTP 2.0 might also be a possible solution to the self-signed certificate problem.

HTTP 2.0 will always use encryption certificates, but only display a lock-icon in the bar if it encounters a certificate it can validate.

* DNSSEC uses signed DNS answers, DNS is what is used for looking up domainnames.

Edited 2013-07-04 18:44 UTC

Reply Parent Score: 4