[security] The costs of HTTPS

Alaric Dailey alaricdailey at hotmail.com
Thu Oct 26 18:04:05 UTC 2006 

"We have enough fast, insecure systems. We don't need another"


-- Bruce Schneier and Neils Ferguson from "Practical Cryptography"









>From: "Dan Lyke" <danlyke at flutterby.com>
>To: security at openid.net
>Subject: [security] The costs of HTTPS
>Date: Thu, 26 Oct 2006 10:20:06 -0700
>
>We've already covered some of the costs of SSL in other threads, but
>as we way out security versus reward, I think lists are a good thing.
>So, the costs of HTTPS:
>
>1. If an Identity Provider uses *.example.com, then they can use a
>wildcard certificate. However, if a user uses their own domain name
>for their identity, then virtual hosting using the "Host" header is no
>longer possible, and the user needs to pay for hosting which includes
>a dedicated IP address.
>
>2. HTTPS adds overhead to a web service. It's hard to quantify,
>different CPU and server loads and sorts of content make a lot of
>difference in such things, but in my queries out to various people who
>run web sites of assorted sizes to assorted different classes of
>users, I'm seeing things like "SSL's about half the speed/throughput
>against static files." Since, in OpenID, both the Claimed Identifier
>and IdP Endpoint URL would have to be HTTPS authenticated by a third
>party CA have any effect on security[1], and the Claimed Identifier is
>often the first point of entry for any other visits to a user's
>identity page, this would have a measurable impact on both the
>hardware requirements and electricity costs of any Identity Providers.
>
>Dan
>
>[1] http://openid.net/pipermail/security/2006-October/000000.html
>      http://openid.net/pipermail/security/2006-October/000028.html
>
>_______________________________________________
>security mailing list
>security at openid.net
>http://openid.net/mailman/listinfo/security

_________________________________________________________________
Stay in touch with old friends and meet new ones with Windows Live Spaces 
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us

More information about the security mailing list