I was logging into gmail today and I connected through a secure connection. I thought to myself, why isn’t all of the Internet done this way? It seems like that would make it a much safer place. Thoughts?
I costs money to get a trusted certificate. It requires more computer power to encrypt the traffic. It requires work to set it up and keep it working correctly.
Thanks for your response. Are these costs really prohibitive? Computers aren’t really that expensive these days. I’m wondering what kind of pushback there would be if there were some kind of secure internet initiative.
Computers may not be but servers and their software packages can get scary expensive. Typical servers can easily run $8,000-$10,000 each, increasing server load by 3-5% might require $30K-$50K in hardware to compensate for it, for no improvement in revenues.
It’s not that the costs are prohibitive, but just that these things take effort and upkeep (your certificate expires periodically and you have to pay to get it renewed and then install it, etc), and if it really doesn’t matter for a particular web site, where’s the incentive to do it? Does it matter that when you browse Wikipedia, the connection isn’t secure?
There are also some other considerations with securing all web traffic. For example, your company may have you browse web pages through a caching proxy server, which means that if you and the guy in the office next door both look at the same web page, it only gets grabbed once, saving the company’s bandwidth. You can’t do this if everyone’s traffic is encrypted with SSL, so the company could conceivably have to get a fatter internet connection and/or more powerful proxy servers to handle more connections. Depending on the size of the organization, this type of thing could be significant. Another factor is that we’re often viewing web pages on our mobile phones now, and I can attest that SSL slows things down significantly due to the phone having to use its CPU to do encryption, plus the lengthy back-and-forth conversation that happens between your browser and the server when setting up an SSL connection.
I thought about leaving the computer power off the list. I think that the main cost is the labor to set things up. It also would not really make things much more secure. People hacking into computers on the web don’t get a whole lot more information from sniffing the traffic of others. Email and banking are private information that you don’t want others to know about. Things like CNN or the dope are not meant to be hidden from others.
The majority of servers run Linux (OS), Apache (web server), and OpenSSL (encryption software), all of which are free in every sense of the term. (This doesn’t factor in support costs, if you buy a support contract, but you’ll have to hire an IT guy anyway.) Microsoft is only a monopoly on the desktop.
Server hardware can be expensive or cheap, depending on what you buy. It’s entirely possible to use a commodity whitebox as a server but you generally want something with a bit better-quality hardware than that.
Anyway, gazpacho has it right: Most traffic just isn’t sensitive, so it makes no sense to encrypt it.
Key management, CPU overhead, certificate management, resistance from end users, and the option for encryption via other methods I assume are the reasons.
First off, there’s very, very little secure about your mail. You’re just using SSL to connect to a webmail server. Big deal. SMTP mail is plain-text, so that email you send your buddy outside of gmail goes through a dozen routers, which can be compromised and sniffed. If he’s a gmail buddy then the gmail server admins can read the message to their heart’s content. So unless you and your buddy have some kind of key exchange and are encrypting both the body and any attachments, then there’s very little secure about your email. SSL just stops one sniffing scenario really. At least with banking sites youre not sending the data unencrypted to another server, like you do with email. Its all kept locally, so SSL makes a lot more sense in that scenario.
For those who want encryption, they do a lot more than use an SSL enabled website and call it a day. Corporate customers prefer VPN or using secure channels like encrypted POP/IMAP/MAPI/etc and doing encryption of the items on top of that.