https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)

Steven M. Bellovin smb at cs.columbia.edu
Thu Jul 24 03:05:58 CDT 2008


On Thu, 24 Jul 2008 09:51:40 +0200
Robert Kisteleki <robert at ripe.net> wrote:

> Patrick W. Gilmore wrote:
> > Anyone have a foolproof way to get grandma to always put "https://"
> > in front of "www"?
> 
> I understand this is a huge can of worms, but maybe it's time to
> change the default behavior of browsers from http to https...?
> 
> I'm sure it's doable in FF with a simple plugin, one doesn't have to
> wait for FF4. (That would work for bookmarks too.)
> 
Servers won't go along with it -- it's too expensive, both in CPU and
round trips.

The round trip issue affects latency, which in turn affects perceived
responsiveness.  This is quite definitely the reason why gmail doesn't
always use https (though it, unlike some other web sites, doesn't
refuse to use it).

As for CPU time -- remember that most web site visits are very short;
this in turn means that you have to amortize the SSL setup expense over
very few pages.  I talked once with a competent system designer who
really wanted to use https but couldn't -- his total system cost would
have gone up by a factor of 10.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb




More information about the NANOG mailing list