[JamesK]

I recently came across an add-on for Firefox called HTTPS Everywhere, which will force your browser to use encrypted HTTPS, instead of unencrypted HTTP, when possible. It also works with Seamonkey.

 

[special k]

nice find!!!!

 

[NeilN]

I use this and it's not perfect. Wikipedia is sometimes dog slow using https and Wordpress blog links throw up an error (at least they did last week). Good thing that you can turn it off on a site by site basis.

 

[ScaryBob]

HTTPS creates more overhead. That's fine if you have a fast PC but it can really slow down web site servers if they are not designed to handle it.

 

[JamesK]

^^^^
Well, it is optional and you can specify what sites you want to use it with.

 

[audacity]

HTTPS creates more overhead. That's fine if you have a fast PC but it can really slow down web site servers if they are not designed to handle it.

I've written software that has then been deployed to web farms at big companies, and in my experience the CPU use by the web servers went up by ~30% (average CPU use over the period of a week) when we turned up HTTPS. This was on a web application that had ~1000 concurrent user sessions.

When I was applying load test tools to see where the user experience of my different web apps starts to degrade, what I've found is that when you use reasonably high end hardware for both your web servers and your database servers, your database server will limit the scalability of your web app long before your web servers do, and this is with a single server dedicated to each task. I've done this test with many custom and commercial off-the-shelf web apps/products, and the results are always the same. Relational databases are where the bottleneck is.

Not to mention that it is very easy to scale out on your web tier just by adding more web servers behind a TCP load balancer provided the web app in question doesn't do anything stupid with server-side session variables, whereas scaling up a relational database is substantially more complex.

So, don't worry about the additional CPU load caused by SSL/TLS on web servers, it's not that big of an increase, it scales well across CPU cores, and can scale easily to multiple web servers. Turn it on, or people will be able to hijack your cookies and steal your session using tools like FireSheep.

 

[stampeder]

Anyone using a mobile connection for web surfing should be using HTTPS Everywhere to protect as much as possible against Firesheep users. They're out there all over the place sniffing for your passwords.

 

[GDX]

Yes, Firesheep has certainly been a welcome eye opener and hopefully the momentum to switch to SSL will continue.

Note that not all wireless connections are at risk--anyone surfing using a 3G data connection like EVDO or HSPA is safe since those protocols are encrypted over the air, and connections to home routers via WPA2 are safe (provided you use a decently strong passphrase).

Connecting to non-secured or weakly secured (i.e., WEP) wifi access points without something like HTTPS Everywhere is definitely asking for trouble. When I'm travelling in Canada I don't even bother using free airport or hotel wifi anymore--a data stick or personal hotspot usually provides decent throughput with substantially fewer security concerns.

The two downsides to that solution are: a) way too expensive when roaming outside of Canada and b) you need to keep an eye on data usage.

 

[JamesK]

A few days ago, I posted this item about a safer way to use public hotspots. With it, you'll log in and have a WPA2, or more likely 802.11i to ensure a secure connection. 802.11i is the same encryption method as WPA2, but uses an authentication server, rather than shared passwords.