tag:blogger.com,1999:blog-8281035461329714656.post2563879188707940187..comments2020-06-20T06:49:48.100-04:00Comments on Web Insecurity: Security Costs vs Benefits: Should companies deploy SSL to deal with Firesheep?Terri Odahttp://www.blogger.com/profile/10462169521890966235noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8281035461329714656.post-89577534980126287922010-11-04T18:20:30.914-04:002010-11-04T18:20:30.914-04:00Thanks, I've now Read the Whole Thing and as y...Thanks, I've now Read the Whole Thing and as you say it is good on the subject. I do like to see an explicit acknowledgement of the disproportionate impacts of adding round trips, but you can't have everything.Maryhttps://www.blogger.com/profile/17148328916764421339noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-75469999434728072372010-11-04T10:59:22.641-04:002010-11-04T10:59:22.641-04:00Did you get a chance to read through the Overclock...Did you get a chance to read through the Overclocking SSL post? They actually spent quite a lot of time working on addressing the problem of round trip time, and I realise what little I quoted might have misled you into believing that they hadn't.<br /><br />(This doesn't change the fact that this is a problem that affects some users more than others, of course.)<br /><br />I suspect for some open source organisations and other groups with limited budgets, the certificate costs can be pretty prohibitive too. When John was looking into it for kernel.org, he was getting quotes well over USD $50k because they needed *.*.kernel.org to handle the various wikis and git repositories and such that they host. Even with * certificates so they wouldn't have to buy a new cert for every new project, it was pretty ridiculous. Self-signing is becoming non-viable for usability reasons thanks to Firefox. In the end, Kernel.org was fortunate enough to get a donation from a signing authority to solve their encryption problem.<br /><br />So yeah, it's definitely not like SSL is the answer for everyone, but it's important to make the decision based on actual problems and not imagined computational costs that aren't nearly as high as they were once reported to be.Terri Odahttps://www.blogger.com/profile/10462169521890966235noreply@blogger.comtag:blogger.com,1999:blog-8281035461329714656.post-48773956641225960082010-11-04T03:20:17.933-04:002010-11-04T03:20:17.933-04:00I discussed this with Andrew who has talked about ...I discussed this with Andrew who has talked about the launchpad.net trade-offs a bit, and his summary was: no the computational effort isn't significant now, but SSL negotiations add noticeably to round trips costs (especially impacting people who are not physically close to the server, so, usually not something North Americans notice most prominently in their web experience), which can be mitigated but not without a fair investment of developer time.Maryhttps://www.blogger.com/profile/17148328916764421339noreply@blogger.com