why not have https for all sites

Hi,

Ive just set myself up with wireless access at home to the internet and also decided to read a bit on public wireless AP's

It seems that https is very secure when using a public AP.

So why arent all sites just setup to use https, wouldnt that then take away the possibility of people sniffing any data sent.

I know you'd still have to have other measures like a firewall to stop people trying to access your laptop.

Regards, Scott

Reply to
scott_doyland
Loading thread data ...

On 31 Aug 2006 08:01:25 -0700, "scott snipped-for-privacy@johnlewis.co.uk" wrote in :

Puts a much greater load on the server, so it's typically only used when clearly needed.

Not entirely, but it would greatly improve security.

Yep.

Reply to
John Navas

I dont know all the exact details, but https is a very complicated system. As far as i know, it takes a lot of extra server processing power because of encryption, and digital certificates have to be purchased for the server which not everyone can afford. Also, many media rich sites use plugins such as flash and java and can conflict with the permissions of those plugins to run in secure modes compared to a more relaxed open mode on the clients computer.

For these reasons, https is really only used for isp control panels, and internet banking etc where auctual losses can be made by someone intercepting your connection with the secure site you are visiting.

I mean why go and purchase extra server processing power, a certificate and all the rest when you are only trying to give a site with advice on looking after cats.

Reply to
Ray Taylor

Right, and if you start using self issued certificates you start asking users to click "OK" to things they shouldn't be approving. Certs aren't free but I seem recall there are registrars that don't gouge "too much" for them.

Well, this is a lousy excuse. But it wouldn't make much sense to push that sort of content over https anyway. It's best to use https for only the parts of the sessions that truly need it. Too many sites fail to do this properly.

True, unless there's some sort of sign-in or other information that "needs" to be kept encrypted it's rather a big waste to use https.

-Bill Kearney

Reply to
Bill Kearney

On Fri, 1 Sep 2006 10:17:30 -0400, "Bill Kearney" wrote in :

"Properly" is really an all or nothing proposition -- otherwise "you start asking users to click 'OK' to things they shouldn't be approving" (pages partly secure and partly insecure).

Reply to
John Navas

No John, that's incorrect.

There's no need to have "everything" delivered from a web site via an https connection. Plenty of sites like amazon, ebay and others make use of a mix of http and https connections. So for the delivery of material on the web it's most certainly NOT an all or nothing propostion. Where it's problematic is a site that lacks security in other ways like cookies and just basic bad design. Slapping https on everything would help but only if the site actually used a genuine certificate, not a self-signed one requiring the user to OK adding it to their browser. If the site's half-assed enough to not have a legit cert then it's quite likely an additional hack vector for users unfortunate enough to go along with adding it's bogus cert.

Reply to
Bill Kearney

On Fri, 1 Sep 2006 15:12:02 -0400, "Bill Kearney" wrote in :

We'll just have to agree to disagree yet again.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.