Ask HN: When are we finally going to start defaulting to TLS/SSL?

4 points by VexXtreme ↗ HN
Considering all the recent controversy regarding government programs that analyze and store your HTTP traffic (and potentially malicious and immoral ISPs that sell it to 3rd parties), is there a good reason why there are still websites that don't use TLS/SSL? Whenever I see a website that uses unencrypted HTTP it makes me feel nervous and even disinclined to use it. Furthermore, if your website requires me to register/log in via an insecure connection, I simply won't use it - no matter how good it might be. I'm sure there are many hackers out there that feel the same way.

Some people argue that if your key-pair is compromised that TLS doesn't really mean a whole lot. While that is true, there are still key exchange mechanisms that guarantee perfect forward secrecy such as discrete logarithm Diffie-Hellman and elliptic curve Diffie-Hellman.

Pretty much all modern browsers support these ciphersuites and enabling them on the server shouldn't really be a big deal. Is there a GOOD reason why we aren't defaulting to these modes nowadays? (Ignorance and laziness don't count).

If you own and maintain a website, please enable TLS - at the very least.

5 comments

[ 4.8 ms ] story [ 24.5 ms ] thread
I feel like people just aren't used to it ("What is this green lock in my address bar? This is just XYZNewsNet, if they need security, they must be doing something wrong", so large sites aren't inclined to make the switch.
> Is there a GOOD reason why we aren't defaulting to these modes nowadays?

Two of them:

(1) SSL certificates for public-facing sites (where you don't control the trusted CAs/certs) cost money. More money than many individuals with sites spend on their hosting.

(2) Because you need one IP address per domain to do SSL, which costs even more money. Most sites are on shared hosting where dedicated IPs are not even offered, and on VPS/dedicated hosting additional IPs cost extra.

There's not enough free IPv4 space available to switch every domain to SSL if we wanted to. It won't be until Windows XP and Android 2.x usage is much lower that we can start using SNI on public-facing websites, which would relieve us of the need for a separate IP per domain.

On a personal note, SSL can be really expensive even if you're willing to spend money on it. I run three sites that give users subdomains. To run SSL on the sites, I need three wildcard certificates that cost over $300 per year.

1) Free SSL certificates: http://www.startssl.com/

2) The benefits of SSL far outweigh the inability to serve XP and Android 2.X clients. Use a dedicated IP if you can and its cost-effective, if not, use SNI.

1) Not free for commercial use per their terms of service. You have to use their $59.90+ paid product.

2) No, the benefits of SSL do not "far outweigh" the cost of not being available at all. If 1 in 5 people can't reach your site, it doesn't matter how secure you are. That's about how much of the web you would be shutting out by deploying SNI today.

If those were reasonable choices to make, at least some companies would be making them, but not a single well-known site has done so.