28 comments

[ 10.2 ms ] story [ 72.8 ms ] thread
Because certificates cost a lot?
Because IP addresses are hard to get? Because SSL adds computational overhead? Because it requires extra staff time to renew certificates? Because storing keys and even CSRs adds to the security budget and staff training?

Is it just me or is anyone else tired of these blogs on Hacker News? It seems that anyone who has a website and some time can get their opinion to the top of the list.

I should try it.

I think the problem (with Hacker News) is that the front page cycles too quickly. There just aren't that many informative bits of news, or blog posts, every day.
There is the inexplicably unadvertised news.ycombinator.com/best for a slower cycle. I prefer it.
I was also unnerved by the fast cycling, and looking for something just like this. Inexplicably unadvertised indeed, thanks!
SSL isn't actually as computationally expensive as it used to be. Sure back when hardware wasn't as advanced as it is now, but you can no longer factor SSL into significant CPU cycles.
This is fairly true, but it's still a potential factor depending on your SaaS setup.
No they don't. I bought one for $10
That's $10 more than you'd have to pay without one.
Okay, you're on shared hosting. What do you do with that pretty little cert? Oh right, you now pay to upgrade to a static IP. Now you're paying for that.
Nope - on a VPS. The point is, it's not expensive, even if you have to pay for a dedicated IP.
Let's see...

* IPv4 addresses are NOT free by any means.

* Having an SSL certificate requires extra configuration on the server.

* Legitimate SSL certificates are not free (VeriSign, etc, if your site uses StartCom then you're doing it wrong)

That's just a few points.

> * IPv4 addresses are NOT free by any means.

You can use SNI but you probably have one website and one certificate for all customers anyway.

> if your site uses StartCom then you're doing it wrong

Why? (honest question)

SNI doesn't work on IE on XP. It's still a big market, unfortunately.
>Why? (honest question)

I meant to say StartSSL, which is the free SSL certificate provider. As far as I'm aware, their free certificated come with no warranty of any kind (although I could be wrong). Depending on how large your business is, you would more than likely go with a trusted brand such as VariSign/GeoTrust/Thawte.

Although for small projects, they're more than fine if all you care about is quickly and cheaply securing transmissions.

I brought StartSSL to my last 2 employers for internal sites, like development sites and internal apps, and it's been wonderful. We haven't found any problems with StartSSL certificates in browsers, from IE6 up through the newest browsers. We've considered using StartSSL for our public sites too, but haven't done so yet.

Do customers really care about the name brand or "warranty" of the SSL certificate? What percentage of customers are even aware of who issued your certificate, and do those customers really have concerns about StartCom?

This sounds like the argument we heard from DynDNS salespeople last year, about how our customers expect us to be using "enterprise" vendors, rather than "consumer-grade" vendors like Amazon Web Services. Even our savviest customers have never asked us who our DNS provider was.

>You can use SNI

and lose all your IE on XP viwers and all your non-Honeycomb/ICS android viewers? All your 3.x iOS users? All your blackberry users?

Are there any large sites using SNI to handle SSL queries? I'd love to hear about their experiences.

Computational cost is not negligible when you scale up. It is very manageable, but it does end up costing extra.

Using SSL for all private data is an absolute must though.

I don't see cost as being a counterargument for a SaaS. I paid about $20 for my certificate, took an hour or so to jump through the signing hoops, serving assets through cloudfront which charges me pennies, and heroku has $20/month SSL support. If you can't recover that cost per user through your SaaS, you have bigger problems.
Imagine a service that offered you ‘hashed passwords’, ‘encrypted credit card storage’, ‘backed up data’ or ‘up to date libraries’ if you pay for their advanced plan. Not cool, right?

All of those things relate to the security of the provider so you expect them as standard. SSL, as a customer facing feature, secures data when it's out on the wilds of the Internet or on the customer's network. It's a bit like charging extra to offer signed courier delivery instead of USPS.

I don't quite see "hashed passwords" relating as much to the security of the provider as it would to that of the customer.
The hashes passwords are stored at the provider, no?

Everything he listed relates to security at the provider, which you'd expect as standard. SSL merely secures the connection across the Web to the provider, but not within their system.

Hashes are stored at the provider but the fact that they hashed is what I am referring to. Hashing itself only protects the user, there is little benefit to the providers security.
(comment deleted)
For serious cloud/SaaS products, especially B2B stuff, this really shouldn't be a question. When I was at Harvest we sent SSL-for-all in 2009:

http://www.getharvest.com/blog/2009/06/unlimited-clients-pro...

Sure, it costs a little bit of money. But it makes our users little safer when they log into our service. There aren't many levers you have a SaaS product that you can pull to really make user data secure once it leaves your servers.

As pwim said, if you can't recover the cost per user then your company must have some big problems. I always frown at a pricing page that says SSL is an add-on, it demonstrates that whomever is running things behind the curtain isn't really concerned about the safety of user data in their app.

I was baffled by Heroku's $20/month fee for SSL until I found out that SSL on EC2 means you have to have a dedicated Elastic Load Balancer for each domain.
SSL as a feature usually differentiate between sites that accept online payments (need to use SSL on their site payment form) and those that don't. Those that accept online payments seem to be able to pay more for a service than sites that don't accept online payments.

tl;dr sites that need ssl usually can pay more for same service.

Sometimes, we invent buzzword laden “features” SLA

SLAs are buzzword nothings? Man, the naiveity is simply oozing out of this post.