|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
On Thu, 24 Jul 2008 09:51:40 +0200 Robert Kisteleki <[email protected]> wrote: > Patrick W. Gilmore wrote: > > Anyone have a foolproof way to get grandma to always put "https://"; > > in front of "www"? > > I understand this is a huge can of worms, but maybe it's time to > change the default behavior of browsers from http to https...? > > I'm sure it's doable in FF with a simple plugin, one doesn't have to > wait for FF4. (That would work for bookmarks too.) > Servers won't go along with it -- it's too expensive, both in CPU and round trips. The round trip issue affects latency, which in turn affects perceived responsiveness. This is quite definitely the reason why gmail doesn't always use https (though it, unlike some other web sites, doesn't refuse to use it). As for CPU time -- remember that most web site visits are very short; this in turn means that you have to amortize the SSL setup expense over very few pages. I talked once with a competent system designer who really wanted to use https but couldn't -- his total system cost would have gone up by a factor of 10. --Steve Bellovin, http://www.cs.columbia.edu/~smb
|