why not have https for all sites

Hi,

Ive just set myself up with wireless access at home to the internet and
also decided to read a bit on public wireless AP's

It seems that https is very secure when using a public AP.

So why arent all sites just setup to use https, wouldnt that then take
away the possibility of people sniffing any data sent.

I know you'd still have to have other measures like a firewall to stop
people trying to access your laptop.

Regards,
Scott

On 31 Aug 2006 08:01:25 -0700, "(E-Mail Removed)"
<(E-Mail Removed)> wrote in
<(E-Mail Removed) om>:

>Ive just set myself up with wireless access at home to the internet and
>also decided to read a bit on public wireless AP's
>
>It seems that https is very secure when using a public AP.
>
>So why arent all sites just setup to use https,

Puts a much greater load on the server, so it's typically only used when
clearly needed.

>wouldnt that then take
>away the possibility of people sniffing any data sent.

Not entirely, but it would greatly improve security.

>I know you'd still have to have other measures like a firewall to stop
>people trying to access your laptop.

Yep.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

I dont know all the exact details, but https is a very complicated system.
As far as i know, it takes a lot of extra server processing power because of
encryption, and digital certificates have to be purchased for the server
which not everyone can afford.
Also, many media rich sites use plugins such as flash and java and can
conflict with the permissions of those plugins to run in secure modes
compared to a more relaxed open mode on the clients computer.

For these reasons, https is really only used for isp control panels, and
internet banking etc where auctual losses can be made by someone
intercepting your connection with the secure site you are visiting.

I mean why go and purchase extra server processing power, a certificate and
all the rest when you are only trying to give a site with advice on looking
after cats.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ps.com...
> Hi,
>
> Ive just set myself up with wireless access at home to the internet and
> also decided to read a bit on public wireless AP's
>
> It seems that https is very secure when using a public AP.
>
> So why arent all sites just setup to use https, wouldnt that then take
> away the possibility of people sniffing any data sent.
>
> I know you'd still have to have other measures like a firewall to stop
> people trying to access your laptop.
>
> Regards,
> Scott
>

> As far as i know, it takes a lot of extra server processing power because
of
> encryption, and digital certificates have to be purchased for the server
> which not everyone can afford.

Right, and if you start using self issued certificates you start asking
users to click "OK" to things they shouldn't be approving. Certs aren't
free but I seem recall there are registrars that don't gouge "too much" for
them.

> Also, many media rich sites use plugins such as flash and java and can
> conflict with the permissions of those plugins to run in secure modes
> compared to a more relaxed open mode on the clients computer.

Well, this is a lousy excuse. But it wouldn't make much sense to push that
sort of content over https anyway. It's best to use https for only the
parts of the sessions that truly need it. Too many sites fail to do this
properly.

> I mean why go and purchase extra server processing power, a certificate
and
> all the rest when you are only trying to give a site with advice on
looking
> after cats.

True, unless there's some sort of sign-in or other information that "needs"
to be kept encrypted it's rather a big waste to use https.

-Bill Kearney

On Fri, 1 Sep 2006 10:17:30 -0400, "Bill Kearney"
<(E-Mail Removed)> wrote in
<d9-(E-Mail Removed)>:

>> As far as i know, it takes a lot of extra server processing power because of
>> encryption, and digital certificates have to be purchased for the server
>> which not everyone can afford.
>
>Right, and if you start using self issued certificates you start asking
>users to click "OK" to things they shouldn't be approving. ...
>
>> Also, many media rich sites use plugins such as flash and java and can
>> conflict with the permissions of those plugins to run in secure modes
>> compared to a more relaxed open mode on the clients computer.
>
>Well, this is a lousy excuse. But it wouldn't make much sense to push that
>sort of content over https anyway. It's best to use https for only the
>parts of the sessions that truly need it. Too many sites fail to do this
>properly.

"Properly" is really an all or nothing proposition -- otherwise "you
start asking users to click 'OK' to things they shouldn't be approving"
(pages partly secure and partly insecure).

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

> >Well, this is a lousy excuse. But it wouldn't make much sense to push
that
> >sort of content over https anyway. It's best to use https for only the
> >parts of the sessions that truly need it. Too many sites fail to do this
> >properly.
>
> "Properly" is really an all or nothing proposition -- otherwise "you
> start asking users to click 'OK' to things they shouldn't be approving"
> (pages partly secure and partly insecure).

No John, that's incorrect.

There's no need to have "everything" delivered from a web site via an https
connection. Plenty of sites like amazon, ebay and others make use of a mix
of http and https connections. So for the delivery of material on the web
it's most certainly NOT an all or nothing propostion. Where it's
problematic is a site that lacks security in other ways like cookies and
just basic bad design. Slapping https on everything would help but only if
the site actually used a genuine certificate, not a self-signed one
requiring the user to OK adding it to their browser. If the site's
half-assed enough to not have a legit cert then it's quite likely an
additional hack vector for users unfortunate enough to go along with adding
it's bogus cert.

On Fri, 1 Sep 2006 15:12:02 -0400, "Bill Kearney"
<(E-Mail Removed)> wrote in
<(E-Mail Removed)> :

>> >Well, this is a lousy excuse. But it wouldn't make much sense to push
>that
>> >sort of content over https anyway. It's best to use https for only the
>> >parts of the sessions that truly need it. Too many sites fail to do this
>> >properly.
>>
>> "Properly" is really an all or nothing proposition -- otherwise "you
>> start asking users to click 'OK' to things they shouldn't be approving"
>> (pages partly secure and partly insecure).
>
>No John, that's incorrect.
>[SNIP]

We'll just have to agree to disagree yet again.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>