Author Topic: Why isn’t SSL turned on by default for all websites?
Aerlinthian 
Posts: 66,222
Registered: May 7, '01
Extended Info (if available)
Real Post Cnt: 65,491
User ID: 94,919
Subject: Why isn’t SSL turned on by default for all websites?
Long but interesting in-depth article on the topic.
Linux News posted:
by Vito Botta, first published on his Blog

There has been a lot of talking, over the past few months, about a Firefox extension called Firesheep which, in the words of author Eric Butler:
“demonstrates HTTP session hijacking attacks“.

Discussions around the Internet on the matter have been quite heated, with lots of people thanking him for his efforts in raising awareness on the security issues of modern Internet applications, and many others blaming him for making it way too easy for anyone -even people who know close to nothing regarding security- to hack into other people’s accounts on social networks, webmails and other web applications, provided some conditions are met. In reality, all these issues have been well known for years, so there is very little to blame Butler for, in my opinion, while we should pay more attention to the fact that most websites are vulnerable to these issues, still today. So, if the issues highlighted by Firesheep hardly are news, why has it caught so much attention over the past few months?

Some context

Whenever you login on any website that requires authentication, two things typically happen:
  • 1- first, you are usually shown a page asking you to enter your credentials (typically a username and a password -unless the service uses OpenID or any other single sign on solution, which is a quite different story), and upon the submission of a form, if your credentials match those of a valid account in the system, you are authenticated and thus redirected to a page or area of the site whose access would otherwise be forbidden.


  • 2- for improved usability, the website may use cookies to make logins persistent for a certain amount of time across sessions, so you won’t have to login again each time you open your browser and visit the restricted pages -unless you have previously logged out or these cookies have expired.

  • During the first step, the authentication requires your credentials to travel over the Internet to reach their destination, and -because of the way the Internet works- this data is likely to travel across a number of different networks between your client and the destination servers; if this data is transferred in clear on an unencrypted connection, then there is the potential risk that somebody may be able to intercept this traffic, and therefore they could get hold of your credentials and be able to login on the target website by impersonating you.

    Over the years, many techniques have been attempted and used with different degrees of success to protect login data, but to date the only one which has proven to be effective -for the most part- is the full encryption of the data.
    Continued

     

    -----signature-----
    (none)
    Link to this post
    Steelwind_Oo 
    Title: Lurking Oo
    Posts: 32,879
    Registered: Sep 30, '00
    Extended Info (if available)
    Real Post Cnt: 31,007
    User ID: 46,829
    Subject: Why isn’t SSL turned on by default for all websites?
    There are plugins that do just that. The problem is is bandwidth usage is much higher and not all sites even have a cert or listen on 443 so it wouldn't work for ALL sites.

     

    -----signature-----
    'God is an imaginary friend for grownups.', Walter Crewes (Morgan Freeman), The Big Bounce
    Don't be afraid to ask dumb questions they're easier to handle than dumb mistakes!
    Xbox 360 Gamer Tag: SteelwindOo
    e93% a53% s33% k13%
    Link to this post
    Speak-pkhq 
    Title: Sheep's bane
    Posts: 9,159
    Registered: Jul 7, '02
    Extended Info (if available)
    Real Post Cnt: 8,993
    User ID: 695,362
    Subject: Why isn’t SSL turned on by default for all websites?
    i wasn't aware of an increase (beyond anything super small). the increase in processing power to handle the encryption (SSL) is what i thought the problem was.

     

    -----signature-----
    Wailing HoHoHoMerryXmas Hero, daoc Kay
    Bardog Mage, wow Thunderlord <Schizm>
    http://7-zip.org/
    trollop hunter
    flag flag flag flag flag
    Link to this post
    Sprawl-zero1eye- 
    Title: IGN Vault Staff
    Reziztance iz Futile

    Posts: 53,263
    Registered: Jun 28, '02
    Extended Info (if available)
    Real Post Cnt: 52,657
    User ID: 692,733
    Subject: Why isn’t SSL turned on by default for all websites?
    It's probably for the best.

    If all sites were SSL, we would be flooded with tons of self-signed certs. People over time would get used to just accepting things, and as such, we would be back to where we started, with carpal tunnel from all the extra certificate acceptance. tongue

     

    -----signature-----
    Mirkwood MUD, OneEye IvoryFang, Lord of the VampireZ (Retired)
    AC Frostfell, Clan Z - Lvl 239 Grief Dagger (Retired)
    WoW Lightbringer Alliance, Z Guild - Lvl 85 Combat Rogue (Retired)
    Making iOS Apps these days at http://zsprawl.com/iOS
    Link to this post
    Balor_Gafdan 
    Title: Gun Toting Conservative
    Posts: 27,802
    Registered: Dec 20, '01
    Extended Info (if available)
    Real Post Cnt: 27,282
    User ID: 563,478
    Subject: Why isn’t SSL turned on by default for all websites?
    Speak-pkhq posted:
    i wasn't aware of an increase (beyond anything super small). the increase in processing power to handle the encryption (SSL) is what i thought the problem was.


    It still is computationally extensive based on decent ciphers. However, hardware is coming along and we'll probably reach a point where it's not as intensive enough to warrant not using it.

    We're slowly starting to transition all of our stuff to SSL at work and I'm keeping close eyes on the 2008 R2 VMs. The load has increased, but we're holding steady. This is SMS software that gets used on a daily basis by hundreds of people so it's not a "huge" test, but it's enough for me to agree, we're not quite there yet.

     

    -----signature-----
    "The constitutions of most of our States assert that all power is inherent in the people; that... it is their right and duty to be at all times armed."
    Rolab - PT Warhammer
    Link to this post
    Steelwind_Oo 
    Title: Lurking Oo
    Posts: 32,879
    Registered: Sep 30, '00
    Extended Info (if available)
    Real Post Cnt: 31,007
    User ID: 46,829
    Subject: Why isn’t SSL turned on by default for all websites?
    The biggest impact is in the initial handshake so the effect will depend on the kind of traffic the site gets.

     

    -----signature-----
    'God is an imaginary friend for grownups.', Walter Crewes (Morgan Freeman), The Big Bounce
    Don't be afraid to ask dumb questions they're easier to handle than dumb mistakes!
    Xbox 360 Gamer Tag: SteelwindOo
    e93% a53% s33% k13%
    Link to this post

    Valid XHTML 1.0 Transitional Powered by PHP