lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <475E0B43.2040808@brvenik.com>
Date: Mon, 10 Dec 2007 23:00:03 -0500
From: Jason <security@...enik.com>
To: Andrew Farmer <andfarm@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: The Cookie Tools v0.3 -- first public release



Andrew Farmer wrote:
> On 10 Dec 07, at 05:45, michele dallachiesa wrote:
>> why HTTPS is not the default in this type of services? this is a big
>> silent hole. maybe, today is less silent :)
> 
> The short version is "because hosting things with SSL is still hard".
> 
> There's a few things which are significantly holding back the move to  
> SSL web servers. They include:
> 
> * Every domain hosted with SSL must have a dedicated IP address. This  
> basically rules out any form of shared hosting.

Did I miss something that makes SSL require a static IP? Do you mean to
say that it is difficult to virtually host a site on a shared server
without a static IP because you have no way to know what certificate to
present to the browser?

If you are dealing with anything that really warrants SSL you should not
be utilizing virtual hosting on a shared server in the first place.

> 
> * SSL certificates don't come cheap. $50 seems like the low end right  
> now, and the really big names (like Verisign or Thawte) charge several  
> times that.

You are paying for a basic trust, not for crypto. You can easily self
sign and have SSL all day long.

> 
> * Many common load-balancing products only work with unencrypted HTTP.  
> Furthermore, SSL places a much higher load on the server.

How is that preventing the adoption of SSL? It is fairly trivial to
accelerate and terminate SSL and then to load balance behind the
termination point. OSS proxy software is readily available as are PCI
accelerator cards. A single box load balancer for a few thousand would
support any moderately sized business well.

> 
> Some of these things are set to change - for example, SNI is set to  
> fix the first one. However, it's only just becoming available; it'll  
> be a while before it can be relied on in production systems.

Corporations handling personal or financial data should have no need for
SNI. Everyone else really shouldn't care or should have the means to do
so safely.

> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ