W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2008

[whatwg] fixing the authentication problem

From: Aaron Swartz <me@aaronsw.com>
Date: Tue, 21 Oct 2008 10:48:17 -0400
Message-ID: <dc21c7860810210748l74950432g7a90fa1b2e7a20@mail.gmail.com>
>> Some major web services redirect the user to an SSL server for
>> the login transaction, but SSL is too expensive for the vast majority
>> of services.
> The issue is not SSL being expensive: the only expensive part is

There are three costs to SSL:

1. Purchasing a signed cert.
2. Configuring the web server.
3. The CPU time necessary to do the encryption.

1 could be fixed by less paranoid UAs, 2 could be fixed with better
software and SNI, and 3 could be fixed by better hardware. But,
realistically, I don't see any of these things happening.

> What's the actual difference between this and https? Both mechanisms
> are using public-key encryption to protect the communications; the

The difference is that this would work practically. Server authors
typically can't configure, but they typically can install an
encryption library. Support will get built into web applications and
web application frameworks (disclosure: I'm the author of a web
application framework) and the Web will be more secure.
Received on Tuesday, 21 October 2008 07:48:17 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:06 UTC