towards https everywhere and strict transport security (was: Has there been a change in US banking regulations recently?)

Steven Bellovin smb at
Wed Aug 25 14:43:49 EDT 2010

On Aug 25, 2010, at 9:04 20AM, Richard Salz wrote:

>> Also, note that HSTS is presently specific to HTTP. One could imagine 
>> expressing a more generic "STS" policy for an entire site
> A really knowledgeable net-head told me the other day that the problem 
> with SSL/TLS is that it has too many round-trips.  In fact, the RTT costs 
> are now more prohibitive than the crypto costs.  I was quite surprised to 
> hear this; he was stunned to find it out.

This statement is quite correct.  I know of at least one major player that was very reluctant to use SSL because of this issue; the round trips, especially on intercontinental connections, led to considerable latency, which in turn hurt the perceived responsiveness of their service.

We need to do something about the speed of light.  Is anyone working on hyperwave or subether technologies?

		--Steve Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list