

Ask HN: When are we finally going to start defaulting to TLS/SSL? - VexXtreme

Considering all the recent controversy regarding government programs that analyze and store your HTTP traffic (and potentially malicious and immoral ISPs that sell it to 3rd parties), is there a good reason why there are still websites that don&#x27;t use TLS&#x2F;SSL? Whenever I see a website that uses unencrypted HTTP it makes me feel nervous and even disinclined to use it. Furthermore, if your website requires me to register&#x2F;log in via an insecure connection, I simply won&#x27;t use it - no matter how good it might be. I&#x27;m sure there are many hackers out there that feel the same way.<p>Some people argue that if your key-pair is compromised that TLS doesn&#x27;t really mean a whole lot. While that is true, there are still key exchange mechanisms that guarantee perfect forward secrecy such as discrete logarithm Diffie-Hellman and elliptic curve Diffie-Hellman.<p>Pretty much all modern browsers support these ciphersuites and enabling them on the server shouldn&#x27;t really be a big deal. Is there a GOOD reason why we aren&#x27;t defaulting to these modes nowadays? (Ignorance and laziness don&#x27;t count).<p>If you own and maintain a website, please enable TLS - at the very least.
======
dangrossman
> Is there a GOOD reason why we aren't defaulting to these modes nowadays?

Two of them:

(1) SSL certificates for public-facing sites (where you don't control the
trusted CAs/certs) cost money. More money than many individuals with sites
spend on their hosting.

(2) Because you need one IP address per domain to do SSL, which costs even
more money. Most sites are on shared hosting where dedicated IPs are not even
offered, and on VPS/dedicated hosting additional IPs cost extra.

There's not enough free IPv4 space available to switch every domain to SSL if
we wanted to. It won't be until Windows XP and Android 2.x usage is much lower
that we can start using SNI on public-facing websites, which would relieve us
of the need for a separate IP per domain.

On a personal note, SSL can be really expensive even if you're willing to
spend money on it. I run three sites that give users subdomains. To run SSL on
the sites, I need three wildcard certificates that cost over $300 per year.

~~~
toomuchtodo
1) Free SSL certificates: [http://www.startssl.com/](http://www.startssl.com/)

2) The benefits of SSL far outweigh the inability to serve XP and Android 2.X
clients. Use a dedicated IP if you can and its cost-effective, if not, use
SNI.

~~~
dangrossman
1) Not free for commercial use per their terms of service. You have to use
their $59.90+ paid product.

2) No, the benefits of SSL do not "far outweigh" the cost of not being
available at all. If 1 in 5 people can't reach your site, it doesn't matter
how secure you are. That's about how much of the web you would be shutting out
by deploying SNI today.

If those were reasonable choices to make, at least some companies would be
making them, but not a single well-known site has done so.

------
adpreese
I already do default to SSL when possible with the KB SSL Enforcer
extension[1]. It breaks some sites some times, but it's generally pretty good.

[1][https://chrome.google.com/webstore/detail/kb-ssl-
enforcer/fl...](https://chrome.google.com/webstore/detail/kb-ssl-
enforcer/flcpelgcagfhfoegekianiofphddckof?hl=en)

------
nattaylor
I feel like people just aren't used to it ("What is this green lock in my
address bar? This is just XYZNewsNet, if they need security, they must be
doing something wrong", so large sites aren't inclined to make the switch.

