Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why doesn't all web traffic by default use https for encryption? (or an encrypted http) [duplicate]

Tags:

http

security

https

Possible Duplicate:
Will it ever be possible to run all web traffic via HTTPS?

Why is the concept of having secure communication using encryption tied to confirming the website's identity in https? Wouldn't all users of the web benefit from even having their http traffic encrypted using a 256 bit key?

There are tons of sites that transmit a user's login/password using http that can be snooped upon. User's aren't so savvy to just avoid all of these weak sites and often use the same credentials for weak security sites and strong security sites. (Some sites, like Twitter don't even make it clear that they use https when you login, they do use https, but you can't easily tell from their main page that isn't loaded with https.)

There is a slight performance hit when using https over http, but is it significant enough to balance out the benefit of having all user's web communication secure? I see https and extended https validation as being really useful to let the user know who they are dealing with. But even if you don't know who you are dealing with or don't need to trust them that much, wouldn't all user's overall security be improved by having http traffic more difficult to spy on?

like image 960
MikeN Avatar asked Dec 22 '22 10:12

MikeN

2 Answers

Don't forget that browsers generally don't cache anything obtained over https - if it were used by default, pages becomes slower to load and your bandwidth usage goes up.

Looks like that was incorrect - my observation was based on banking websites where I've never seen cached content, but clearly this is down to regular HTTP cache control headers.

See also answers to the similar question Will it ever be possible to run all web traffic via HTTPS?

like image 104
Paul Dixon Avatar answered Jan 04 '23 15:01

Paul Dixon

A few reasons I can think of:

  1. Security is used to protect things that are sensitive/important. If something isn't sensitive or important, security isn't necessary.

  2. SSL doesn't really provide that much in the way of validation of who you are dealing with. If you have an e-mail address (and maybe a phone number) you can get an SSL certificate.

  3. That "slight performance hit" really adds up if you have lots of users.

  4. Some poeple just don't want to spend that extra hundred bucks or so a year for an SSL certificate on their blog/homepage/etc.

like image 32
Eric Petroelje Avatar answered Jan 04 '23 16:01

Eric Petroelje
Sign in to Comment

Related questions

Where to store MySQL credentials in PHP scripts?
EJB Invocation failed on component by java.security.AccessControlException
How to properly escape raw SQL query (plainto_tsquery) in Postgres / node
Secure Coding Guidelines for Python
Elixir distributed security and whitelisting allowed nodes
Protect PHP endpoints called by AJAX
CryptographicException: Access denied - How to give access on User store?
Django password in PHP
Why Firebase can work on my app without INTERNET permission [duplicate]
Golang dropping privileges (v1.7)
Is there a way to have different ticket expiry lengths in OpenIddict?
How to create a public key store for microservices?
OpenID Connect - should the id token be sent to the protected resource in this case?
Is it acceptable to leave a database (Cloud Firestore) unsecured when no site login is required?
Is it safe to send user email in a GET request?
Symfony 5.3 - why is my remember me functionality not working?
Protecting API Secret Keys in a Thick Client application
How can I pass user credentials through a Unix-domain socket on Mac OS X?
ASP.NET: does it involve Active X at all?
Protecting against SQL tablename injection - how far is too far?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!