The success of the Google+ launch and its overall browser security ratings seem to be attributed to its SSL-only...
traffic approach. What makes SSL so secure, and why doesn’t every Web application use it?
With Google search over SSL, you can have an end-to-end encrypted search between your computer and Google, preventing a third party from intercepting and reading your search terms, and your search results pages. SSL (Secure Sockets Layer) has actually been superseded by TLS (Transport Layer Security), though this suite of protocols is still generally referred to as SSL. SSL encrypts a network connection using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. TLS makes use of a variety of security measures, including a message digest enhanced with a key (HMAC) and a sequence number in its message authentication codes (MACs). Another benefit of an SSL connection is it gives you a way to ensure the page you're on is actually coming from the site you intended to reach. When you see the secure lock symbol, you can check the SSL certificate to see the name of the organization and who issued the certificate.
A Google spokesman indicated it plans to make SSL encryption the default for its online applications. Google hasn’t extended SSL across all its services yet, though, and the reason given is, “We better need to understand how it affects users' search experience. . . . We expect that encrypted SSL search will slow down Google searches by a small degree, and we don’t like the idea of rolling this out to everyone before we’re able to test the performance effects.”
It’s this affect on performance that is the reason why SSL isn’t the default for connecting to websites. SSL involves a tradeoff: improved security versus cost and slower response times. The encryption process slows down the delivery of a site’s pages. A lot has to happen when using SSL, even before you get to the bulk encryption of the data that is being exchanged between the server and client. In the pre-broadband days when pages loaded slowly anyway, Web designers were reluctant to add further delays for visitors to their site by encrypting every page. (This is the reason most home pages don’t use SSL -- the designer wants you to see it as quickly as possible so you don’t lose patience and go somewhere else.) Also, most browsers don’t cache documents delivered over SSL. This would generate a lot of extra Internet traffic and pages loading more slowly as they would have to be fetched from the Web server each and every time.
In order to deliver webpages over SSL, a site needs a digital certificate. A one-year VeriSign SSL Certificate with Extended Validation costs $995 a year. That’s a lot of money for a corner store that has a static website simply to advertise its existence. Security controls should be adequate and proportionate to the identified risks so providing an SSL connection to this type of website would be completely over the top. However, for large sites with plenty of processing power and resources, there is no reason why an SSL connection shouldn’t become the default connection to the site.
Dig Deeper on Web Authentication and Access Control
Related Q&A from Michael Cobb
Open source NoSQL MongoDB database faced 30,000 insecure instances. Expert Michael Cobb explains the misconfiguration that led to this, and how to ...continue reading
A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can ...continue reading
Juniper firewall products were found to have two backdoor vulnerabilities. Expert Michael Cobb explains how a cryptographic algorithm and hardcoded ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.