| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <461B48F2-53BE-4597-ACF7-023D0DB29276@gmail.com> Date: Mon, 10 Dec 2007 19:20:22 -0800 From: Andrew Farmer <andfarm@...il.com> To: michele dallachiesa <michele.dallachiesa@...il.com> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: The Cookie Tools v0.3 -- first public release On 10 Dec 07, at 05:45, michele dallachiesa wrote: > why HTTPS is not the default in this type of services? this is a big > silent hole. maybe, today is less silent :) The short version is "because hosting things with SSL is still hard". There's a few things which are significantly holding back the move to SSL web servers. They include: * Every domain hosted with SSL must have a dedicated IP address. This basically rules out any form of shared hosting. * SSL certificates don't come cheap. $50 seems like the low end right now, and the really big names (like Verisign or Thawte) charge several times that. * Many common load-balancing products only work with unencrypted HTTP. Furthermore, SSL places a much higher load on the server. Some of these things are set to change - for example, SNI is set to fix the first one. However, it's only just becoming available; it'll be a while before it can be relied on in production systems. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists