Monday, March 21, 2011

HTTPS is more secure, so why isn't the Web using it?

Verisign tokenImage via WikipediaHTTPS is more secure, so why isn't the Web using it?

Easy:

  1. SSL certificates cost money.
  2. Free SSL certificates usually trigger a browser warning that 99% of the people won't understand. There are ways around this, of course, but there is no way for a brand new retail channel machine to accept one of these certificates with 100% reliability.
  3. Not all hosts support it.
  4. Not all hosts need it. 
A little more detail:

SSL certificates cost money

The cheapest Verisign certificate I could find (at their site) in 30 seconds is $399. I found one at Thawte for $149, but I am 99.99% sure the two products are not equivalent. I don't sell certificates at http://gopedro.net anymore, but it looks like I was selling these Thawte certificates for $45 for the first year, and yes, that includes a hefty markup. Basically these certificates are a license to print money, they cost whatever the market will bear.

Worse, if you take two of these certificates at the same encryption level, they are both identical. Your provider gives you additional services (think about buying gas, everyone sells you the same gas but with different additives) which is what makes it so hard to compare certificates between companies. In reality the certificate is just a little bit of text that costs close to nothing to maintain in a database. Even if you want to cloud the living shit out of the infrastructure, you are still spending maybe a buck, the rest is pure profit for the providers.

Free Certificates

Anyone can generate a certificate that can provide industrial-grade protection to a network connection. The problem is that there is a trust system and by default devices only trust a few centralized certification authorities. If you are within a company, you can setup your own certification authority (which you trust because YOU set it up), and set up internal clients to trust your CA implicitly. This doesn't work outside of a company because each user would need changes at the local machine to have it trust these certificates implicitly. And worse: this CA arrangement is much needed, otherwise anyone could issue certificates for any domain and use these to perform man in the middle attacks.

So yes, you can get them for free, but this is not a good feature for the general public. 

Not all hosts support it.

In order to use a certificate, you need to have fixed IP addresses as part of the mechanism. Shared web hosting does not allow you to tie up one IP address by default, so almost every commercial host out there will charge you a little more just to have the IP address so you can assign the certificate. 

Not all hosts need it.

Yup, not all hosts need SSL. I wouldn't lose sleep over blogs and SSL unless you want to authenticate sign up for authoring or comment posting purposes. If the information is not critical (by this I mean that the information does not have security or privacy connotations), and you are only reading, SSL is probably not needed. On top of that, there is a performance toll since SSL requires more overhead. 

Paranoia

What about privacy? Even if not all of your usual destinations are protected, you don't want anyone in the middle to know what you are looking at. There is a simple fix for that: get a secure proxy/VPN. You can get one of these for under $10, and that will encrypt all of your traffic up until its end point. Anyone that tries to back track you will only make it as far as the proxy, there is no (easy) way to trace these all the way back to the end user. I have tried two of these in the past, and all of my work traffic goes over a VPN, but the problem with the commercial services is performance: they are simply too damn slow.

If paranoia is a concern, I would still recommend the VPN/secure proxy route even if it means slower connection speeds. You could use the anonymous modes in most modern browsers (these are universally referred to as "porn mode") but Chrome calls it "Incognito" and IE9 calls it "InPrivate browsing" which will not collect tracking information. Remember that if you use these, don't log into any sites or you will be defeating the purpose (this is not obvious when you use these).

Oh, and in case you missed it, RSA got hacked.