[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] The Cookie Tools v0.3 -- first public release
- To: michele dallachiesa <michele.dallachiesa@xxxxxxxxx>
- Subject: Re: [Full-disclosure] The Cookie Tools v0.3 -- first public release
- From: Andrew Farmer <andfarm@xxxxxxxxx>
- Date: Mon, 10 Dec 2007 19:20:22 -0800
On 10 Dec 07, at 05:45, michele dallachiesa wrote:
> why HTTPS is not the default in this type of services? this is a big
> silent hole. maybe, today is less silent :)
The short version is "because hosting things with SSL is still hard".
There's a few things which are significantly holding back the move to
SSL web servers. They include:
* Every domain hosted with SSL must have a dedicated IP address. This
basically rules out any form of shared hosting.
* SSL certificates don't come cheap. $50 seems like the low end right
now, and the really big names (like Verisign or Thawte) charge several
times that.
* Many common load-balancing products only work with unencrypted HTTP.
Furthermore, SSL places a much higher load on the server.
Some of these things are set to change - for example, SNI is set to
fix the first one. However, it's only just becoming available; it'll
be a while before it can be relied on in production systems.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/