- From: Aaron Swartz <me@aaronsw.com>
- Date: Tue, 21 Oct 2008 10:48:17 -0400
>> Some major web services redirect the user to an SSL server for >> the login transaction, but SSL is too expensive for the vast majority >> of services. > The issue is not SSL being expensive: the only expensive part is There are three costs to SSL: 1. Purchasing a signed cert. 2. Configuring the web server. 3. The CPU time necessary to do the encryption. 1 could be fixed by less paranoid UAs, 2 could be fixed with better software and SNI, and 3 could be fixed by better hardware. But, realistically, I don't see any of these things happening. > What's the actual difference between this and https? Both mechanisms > are using public-key encryption to protect the communications; the The difference is that this would work practically. Server authors typically can't configure, but they typically can install an encryption library. Support will get built into web applications and web application frameworks (disclosure: I'm the author of a web application framework) and the Web will be more secure.
Received on Tuesday, 21 October 2008 07:48:17 UTC