Theres a couple of issues that rarely are mentioned:
- for very high traffic websites HTTPS costs a lot of money. .gov sites are not very high traffic.
- When you have such high traffic you also have a bunch of old winxp and similar clients. These dont work fast on HTTPS and dont work without sslv3 and what not.
So while HTTPS with safe settings works in most cases it doesnt work in all cases.
Although you may argue that if you are a CDN, encryption can be a significant portion of your costs.
Also, Jeff Atwood writes following:
> Of course, there's no reason to encrypt traffic for anonymous, not-logged-in users, and Twitter doesn't. You get a plain old HTTP connection until you log in, at which point they automatically switch to HTTPS encryption. Makes sense.
Today we know that it is no longer a valid point. TOR users can be deanonimized by injecting traffic into plain HTTP connections. Upgrade to HTTPS seems to be fixing that. So we really should use HTTPS by default and HTTP only in very well articulated cases.
No, SSL/TLS is not expensive. I've been running a moderalty high traffic website in EC2 for a few weeks. It is peaking at ~250k requests per minute per c3.8xlarge instance using only 40% CPU. 100% of the traffic is over SSL/TLS and the response size is less than 100 bytes, so most of the overhead is in handshaking (which is much more expensive than just sending data). With a larger response size, the CPU utilization would be even lower.
Get a CDN and you'll see the price. If you don't need a CDN or have your own multiple international pop's then you're not really all that high traffic indeed.
> for very high traffic websites HTTPS costs a lot of money. .gov sites are not very high traffic.
.gov sites can be very high traffic. Think weather, social security, health care, immigration, visas...
> - When you have such high traffic you also have a bunch of old winxp and similar clients. These dont work fast on HTTPS and dont work without sslv3 and what not.
SSLv3 only kills IE6, which is doable. And it's okay if very old clients work slowly with HTTPS -- those clients have far more problems than just slow HTTPS.
very high traffic is google.com and similar sites. gov sites are not the tiniest sites but they're dwarfed by anyone getting million hits per hour 24/7 (yes google is even way more than that obviously)
Killing IE6 and some others (java clients, etc.) is not always doable and thats the point. its doable for many but not all.
- for very high traffic websites HTTPS costs a lot of money. .gov sites are not very high traffic.
- When you have such high traffic you also have a bunch of old winxp and similar clients. These dont work fast on HTTPS and dont work without sslv3 and what not.
So while HTTPS with safe settings works in most cases it doesnt work in all cases.