I don't get it. Why do a lot of websites publish https links for no apparent reason, like: https://javaserverfaces.java.net.

Why would they want to create extra load on their servers for just a regular page that doesn't require login or exchange of info???

https goes with a certificate which ensures that the site is authentic

If the only sites that used SSL were the ones that transmitted vitally important secrets, it would be trivial to find and attack those traffic streams. By running everything in SSL, including unimportant traffic, we protect the important traffic from new SSL exploits. That's the server side argument.

On the client side, using SSL and managing certificates properly in the client browser helps prevent false-AP attacks in coffee shops and other public wi-fi hotspots. If you are browsing an unencrypted website, and I have a browser exploit, I can insert it into your system using airpwn or similar tools.

Incidentally, I have never seen any noticeable server load from running SSL myself. The network I/O always chokes the traffic down more than the processor load does in any reasonably well designed application. When Google implemented HTTPS for gmail, they didn't add any new servers and they only saw a 1% increase in load on their old servers.

The only problem with 'SSL everywhere' as a philosophy is that it places power in the hands of the certificate authorities, who seem to be mostly amoral and incompetent.

Hope that helps!

1 members found this post helpful.

wow @Medievalist very breve explanation! nice work :-)

+that it makes sense to me...

I tried to visit that site, and Chrome gave me a big red security warning. It said the SSL certificate being served was not for the site I was visiting, and that I should not proceed.

This is also your first day posting here.

Is there some funny business happening?

Also, if you visit the http version, you can see that that site does indeed take login information, and that the reason it uses https is therefore completely obvious.

wow yeah firefox reports it too

What funkiness is going on here?

Outstanding response Medievalist! Thank you. I 2nd post and I already learned something. So, using SSL for "unimportant" connections is for the benefit for all. But, if SSL doesn't cause significant load, then why do they make SSL offload cards? Anyway, based on your server-side argument, maybe it would be a good idea for ALL sites to use SSL to encrypt, but w/o necessarily needing a cert issued by an authority (self-signed), just for basic privacy measures. Then, we wouldn't have to use Tor so much. Any talk along those lines?

@Dugan, yes, this is my first day posting! But, I don't know what you mean by funny business. And that site was just an example; surely you've happened across other sites using https that don't require logins... but, that point is moot now. I guess I found it annoying that that site didn't have their cert updated, or was using one from the java.com site. I ignored the FF warning that went in anyway since their is only a risk of the site not being authentic (low risk in this case) and I didn't plan on sending sensitive info and the chance of it being a phishing site is also low.

You're saying that the difficulty of targeting specific HTTPS connections increases with the amount of existent HTTPS connections? That sounds kind of weird to me, honestly. For example, say I use these three sites: google.com, bankofamerica.com, and linuxquestions.org. How exactly would using HTTPS on all three sites make it more difficult for a criminal to attempt to MITM (for example) my bankofamerica.com connection? How would using HTTPS only on bankofamerica.com make it easier to be directly targeted?

The privacy benefit is limited in at least 2 ways :

Tor hides the URL, https does not. If anybody wants to know what you're reading, they may try to access the same URL themselfes. https will help only if the site returns content based on your input, without reloading the page / changing the URL

Even if the site gives content without reload, the domain name of the site is still visible. This alone can give enough information to the party you're hiding your business from

0 members found this post helpful.

The HTTPS URL is transmitted within the SSL connection, so it's not visible. What is visible to the bad guys is the domain name and port you're using. Also, keep in mind that any hiding Tor may do only applies within the Tor network. That is, the Tor exit node you're using will still have the same access any other non-Tor node would have. In the case of HTTPS, it'll mean domain/port... and in HTTP, well, everything.

Moved: This thread is more suitable in the Security forum and has been moved accordingly to help your thread/question get the exposure it deserves.

That isn't really what I took away from his statement. I believe he is more referring to how a lot of sites use SSL for the login, but then display regular pages without using SSL. When this happens You can pull session keys out of the traffic for the non-SSL'd pages and hijack the users session. However if you keep the whole site encrypted with SSL even the non-important pages, you can no longer use this attack vector. There are a lot of sites now changing over to encrypting the whole site ever since firesheep gave everyone a reality check.

But I could have misunderstood what he was trying to say.

nomb

In a perfect world, ALL SITES would use SSL. It does not add any additional load on modern servers (or clients) and users would get the benefit of never having to pay attention to whether or not SSL is being used.

1 members found this post helpful.

Yeah, I know what you mean (and I agree). It just sounds to me like you and Medievalist are referring to two totally different things. In retrospect, however, I see how his/her statement can be interpreted in a number of different ways.

Besides, this explains why it sounded so weird to me.