Canadian TV, Computing and Home Theatre Forums banner

1 - 9 of 9 Posts

·
Registered
Joined
·
8,300 Posts
Discussion Starter #1
I recently came across an add-on for Firefox called HTTPS Everywhere, which will force your browser to use encrypted HTTPS, instead of unencrypted HTTP, when possible. It also works with Seamonkey.
 

·
Registered
Joined
·
2,309 Posts
I use this and it's not perfect. Wikipedia is sometimes dog slow using https and Wordpress blog links throw up an error (at least they did last week). Good thing that you can turn it off on a site by site basis.
 

·
Registered
Joined
·
7,131 Posts
HTTPS creates more overhead. That's fine if you have a fast PC but it can really slow down web site servers if they are not designed to handle it.
 

·
Registered
Joined
·
8,300 Posts
Discussion Starter #5
^^^^
Well, it is optional and you can specify what sites you want to use it with.
 

·
Registered
Joined
·
3,368 Posts
HTTPS creates more overhead. That's fine if you have a fast PC but it can really slow down web site servers if they are not designed to handle it.
I've written software that has then been deployed to web farms at big companies, and in my experience the CPU use by the web servers went up by ~30% (average CPU use over the period of a week) when we turned up HTTPS. This was on a web application that had ~1000 concurrent user sessions.

When I was applying load test tools to see where the user experience of my different web apps starts to degrade, what I've found is that when you use reasonably high end hardware for both your web servers and your database servers, your database server will limit the scalability of your web app long before your web servers do, and this is with a single server dedicated to each task. I've done this test with many custom and commercial off-the-shelf web apps/products, and the results are always the same. Relational databases are where the bottleneck is.

Not to mention that it is very easy to scale out on your web tier just by adding more web servers behind a TCP load balancer provided the web app in question doesn't do anything stupid with server-side session variables, whereas scaling up a relational database is substantially more complex.

So, don't worry about the additional CPU load caused by SSL/TLS on web servers, it's not that big of an increase, it scales well across CPU cores, and can scale easily to multiple web servers. Turn it on, or people will be able to hijack your cookies and steal your session using tools like FireSheep.
 

·
OTA Forum Moderator
Joined
·
24,867 Posts
Anyone using a mobile connection for web surfing should be using HTTPS Everywhere to protect as much as possible against Firesheep users. They're out there all over the place sniffing for your passwords.
 

·
Registered
Joined
·
215 Posts
Yes, Firesheep has certainly been a welcome eye opener and hopefully the momentum to switch to SSL will continue.

Note that not all wireless connections are at risk--anyone surfing using a 3G data connection like EVDO or HSPA is safe since those protocols are encrypted over the air, and connections to home routers via WPA2 are safe (provided you use a decently strong passphrase).

Connecting to non-secured or weakly secured (i.e., WEP) wifi access points without something like HTTPS Everywhere is definitely asking for trouble. When I'm travelling in Canada I don't even bother using free airport or hotel wifi anymore--a data stick or personal hotspot usually provides decent throughput with substantially fewer security concerns.

The two downsides to that solution are: a) way too expensive when roaming outside of Canada and b) you need to keep an eye on data usage.
 

·
Registered
Joined
·
8,300 Posts
Discussion Starter #9
A few days ago, I posted this item about a safer way to use public hotspots. With it, you'll log in and have a WPA2, or more likely 802.11i to ensure a secure connection. 802.11i is the same encryption method as WPA2, but uses an authentication server, rather than shared passwords.
 
1 - 9 of 9 Posts
Top