Re: Let's talk about HTTPS Everywhere
On Wed, Jan 19, 2011 at 12:57:48PM +0000, Camaleón wrote:
> On Wed, 19 Jan 2011 03:29:15 -0800, S Mathias wrote:
> > 3) Can someone trust this Add-on? Is it safe to install/use?
>
> I don't like/trust anoymous (even encrypted) proxy sites.
HTTPS Everywhere is not a proxy site, encrypted, anonymous, or
otherwise. It causes your browser to request that the sites you visit
use HTTPS rather than cleartext HTTP when communicating (directly) with
you. Nothing more, nothing less.
> > 4) If it's so great why isn't it more prevalent?
>
> - SSL traffic is heavy and slow
...
> My opinion is that I don't want to encrypt all the traffic, at least not
> with the slow DSL connections/hosts we have now (loading a single page
> will take seconds).
I don't know where you get this idea. SSL traffic is no different on
the wire than any other data traffic. There is a cost in processing
overhead for running the encryption algorithms on the client and on the
server, but it does not incur any additional bandwidth requirements and,
with modern hardware, the additional processing cost is negligible.
> - There no need (normally) for encrypting public navigation (see the note
> below)
...
> I prefer to leave the SSL/TLS for sensitive data (logins, etc...).
When dealing with sites which use session cookies, "public navigation"
*is* "sensitive data", as every request sent will include the cookie(s)
which identify you and an attacker who gains access to that data would
be able to use those cookies to impersonate you for the lifetime of that
session, as demonstrated by the recent uproar over FireSheep.
--
Dave Sherohman
Reply to: