[security] The costs of HTTPS
Dan Lyke
danlyke at flutterby.com
Thu Oct 26 17:20:06 UTC 2006
We've already covered some of the costs of SSL in other threads, but
as we way out security versus reward, I think lists are a good thing.
So, the costs of HTTPS:
1. If an Identity Provider uses *.example.com, then they can use a
wildcard certificate. However, if a user uses their own domain name
for their identity, then virtual hosting using the "Host" header is no
longer possible, and the user needs to pay for hosting which includes
a dedicated IP address.
2. HTTPS adds overhead to a web service. It's hard to quantify,
different CPU and server loads and sorts of content make a lot of
difference in such things, but in my queries out to various people who
run web sites of assorted sizes to assorted different classes of
users, I'm seeing things like "SSL's about half the speed/throughput
against static files." Since, in OpenID, both the Claimed Identifier
and IdP Endpoint URL would have to be HTTPS authenticated by a third
party CA have any effect on security[1], and the Claimed Identifier is
often the first point of entry for any other visits to a user's
identity page, this would have a measurable impact on both the
hardware requirements and electricity costs of any Identity Providers.
Dan
[1] http://openid.net/pipermail/security/2006-October/000000.html
http://openid.net/pipermail/security/2006-October/000028.html
More information about the security
mailing list