Why doesn't all web traffic by default use https for encryption? (or an encrypted http)

Question

Possible Duplicate:
Will it ever be possible to run all web traffic via HTTPS?

Why is the concept of having secure communication using encryption tied to confirming the website's identity in https? Wouldn't all users of the web benefit from even having their http traffic encrypted using a 256 bit key?

There are tons of sites that transmit a user's login/password using http that can be snooped upon. User's aren't so savvy to just avoid all of these weak sites and often use the same credentials for weak security sites and strong security sites. (Some sites, like Twitter don't even make it clear that they use https when you login, they do use https, but you can't easily tell from their main page that isn't loaded with https.)

There is a slight performance hit when using https over http, but is it significant enough to balance out the benefit of having all user's web communication secure? I see https and extended https validation as being really useful to let the user know who they are dealing with. But even if you don't know who you are dealing with or don't need to trust them that much, wouldn't all user's overall security be improved by having http traffic more difficult to spy on?

Answer 1

There is a big business in selling SSL certificates. Many, many sites just don't need that kind of security either.

And frankly I don't think the biggest security issues are people snooping on plain http traffic. It's an issue sure, but the bigger fish to fry are people stealing user databases, and/or worms/viruses on the client. Https won't help you if the bad guys have your bank's database.

Answer 2

You forgot about the second point of using SSL. It's meant to verify that you are sending your data to who you really think you are.

If everybody out there started to use SSL, it would lose that second function point (unless every person who ran a site purchased an SSL certificate from a trusted authority and got verified...in which case everybody is going to have to pay a lot more for that site).

This is more so the case with EV (Extended Validation) certs. They're not necessarily any more secure than a regular cert, but the Verification process to purchase them is much more strict and there are fewer vendors that can issue them.

Answer 3

dup : http://stackoverflow.com/questions/1035283/will-it-ever-be-possible-to-run-all-web-traffic-via-https

Answer 4

SSL certificates can be very expensive. Sure you can self sign the certificates but almost all of the browsers now a days alert you of self signed certificates (the use of self signed certs is a bad practice anyway).

Also there always isn't a need to use https. Downloading files, for instance, isn't something that you would generally want to do over https because it's just useless overhead. There should be a need for https, and you shouldn't just use it because you can.

Answer 5

Don't forget that browsers generally don't cache anything obtained over https - if it were used by default, pages becomes slower to load and your bandwidth usage goes up.

Looks like that was incorrect - my observation was based on banking websites where I've never seen cached content, but clearly this is down to regular HTTP cache control headers.

See also answers to the similar question Will it ever be possible to run all web traffic via HTTPS?

Answer 6

A few reasons I can think of:

1. Security is used to protect things that are sensitive/important. If something isn't sensitive or important, security isn't necessary.

2. SSL doesn't really provide that much in the way of validation of who you are dealing with. If you have an e-mail address (and maybe a phone number) you can get an SSL certificate.

3. That "slight performance hit" really adds up if you have lots of users.

4. Some poeple just don't want to spend that extra hundred bucks or so a year for an SSL certificate on their blog/homepage/etc.

Answer 7

I can see how it could be useful to have two kinds of "modes" for security on the web: one where the channel is secure even though you could be talking to a scammer in Nigeria, and one where it's secure and you know who you're talking to, but I'm not sure it's really worth it. For one, if you don't know who you're talking to, it's not really secure, and then I'm not sure that everyday internet users could, or would bother, to take the time to notice and use the distinction. I think it's much better to just have one "secure" browsing form and have people know that when they see that, they are good to go.

And as far as performance, well, it is a small hit, but it's a hit that will keep rising as computer performance rises (as computers get faster it gets easier to both decode RSA encryption using a key and to prime factor large numbers, so computer performance and key length need to rise together). But, just look at Amazon. I'd say they know what they are doing and they've decided that they don't want the SSL hit anywhere they don't need it and have gone to great lengths to only have it on for account and order-related activities.