<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Aug 1, 2014 at 4:33 AM, ianG <span dir="ltr"><<a href="mailto:iang@iang.org" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=iang@iang.org&cc=&bcc=&su=&body=','_blank');return false;">iang@iang.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="">Well, no. Implementing HTTPS:// is hard. It is simply out of the cost<br>
</div>
range of about 99% of the websites [0]. Otherwise they would.</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
[0] old figures. It used to be that around 1% of the websites used<br>HTTPS, no idea what it is now.</blockquote><div> </div><div>[0] Citation needed</div><div><br></div><div>Modern CPUs have crypto accelerators (e.g. AES-NI). https is cheaper than ever before.</div>
<div><br></div><div>The alternative is, what, everyone handroll their own JS crypto that only protects against passive attacks and easily folds when confronted with an active attacker?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
The fact that *you might be able to reach that high bar* is irrelevant.<br>
What is relevant is the 2 decades of history that we have that says<br>
clearly, HTTPS is simply too expensive.<br></blockquote><div><br></div><div>Since things like FireSheep made people aware of the use of unencrypted communications is dangerous, HTTPS has seen a massive proliferation in usage. Certain CDNs are contemplating making HTTPS a part of the base package rather than an add-on.</div>
<div><br></div><div>So no, HTTPS cost and usage aren't problems. HTTPS is cheaper than ever to deploy and that trend will continue. The problem is people making silly excuses not to deploy HTTPS.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="">Yes, and they can make that argument. HTTPS and PKI carries with it<br></div>
some downsides such as vulnerability to CA-based attacks</blockquote><div><br></div><div>I thought we were talking about passive attacks</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
tracking,<br></blockquote><div><br></div><div>If you load some crypto JS over plaintext HTTP, a passive attacker can see you're doing this, and words like "crypto" might be interesting to their keyword analysis systems.</div>
<div><br></div><div>HTTPS would prevent this.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
JS crypto is BTNS -- better than nothing security.<br></blockquote><div><br></div><div>So is ROT13</div><div> </div></div>-- <br>Tony Arcieri<br>
</div></div>