[security] The costs of HTTPS

Dan Lyke danlyke at flutterby.com
Thu Oct 26 18:35:06 UTC 2006 

On Thu, 26 Oct 2006 11:04:05 -0700, Alaric Dailey wrote:
> "We have enough fast, insecure systems. We don't need another"

Good point, but if you're going to go to Six Apart and ask them to  
adopt HTTPS in version 2, and they say "it'll cost $X", it's good if,  
beforehand, you both know that it's going to cost $X and that you have  
justification for *why* they should bear that cost.

"We have this really cool technology and you should adopt it."

"That'll cost us $50k."

"But it's really really cool. And secure! And really cool!"

Versus:

"That'll cost us $50k."

"But we've explored the alternatives, and we believe that by spending  
that money you'll increase your uptake in use of this system by  
e-commerce sites which use the following three credit card processors,  
which comprise X% of sites in this demographic, giving you this  
additional publicity. And the risk of not doing this is that DNS  
poisoning could cause..."

That way they know you've already actually thought through the risks  
and rewards of the entire security system (and security is a system,  
not a technology), and are willing to discuss specifics.

I know, in my more naive years (circa 1993) I walked into a mid-sized  
city newspaper exec's office and said "The web is coming! It's really  
cool! You should get involved!". Thankfully he didn't laugh me out,  
but he did sit me down and give me a good education on why that was a  
foolish approach. It turns out that I was right and he should have  
done some things differently, but maybe if I'd been smarter in my  
pitch to him we'd both have made more money.

What I've heard thus far from the HTTPS with a signed CA side of the  
argument is not a risk/reward assessment of a system, it's a "let's  
throw this technology at it" approach, and most of the proponents have  
apparently (from some of the arguments being made), not even read the  
OpenID 2.0-10 spec.

And while I've gone off and found quite a bit of information on DNS  
security on my own, nobody on the pro "HTTPS for everything" side has  
been willing to talk about that, other than that, yes, some exploits  
have occurred.

Dan

More information about the security mailing list