The success of the Google+ launch and its overall browser security ratings seem to be attributed to its SSL-only traffic approach. What makes SSL so secure, and why doesn’t every Web application use it?
With Google search over SSL, you can have an end-to-end encrypted search between your computer and Google, preventing a third party from intercepting and reading your search terms, and your search results pages. SSL (Secure Sockets Layer) has actually been superseded by TLS (Transport Layer Security), though this suite of protocols is still generally referred to as SSL. SSL encrypts a network connection using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. TLS makes use of a variety of security measures, including a message digest enhanced with a key (HMAC) and a sequence number in its message authentication codes (MACs). Another benefit of an SSL connection is it gives you a way to ensure the page you're on is actually coming from the site you intended to reach. When you see the secure lock symbol, you can check the SSL certificate to see the name of the organization and who issued the certificate.
A Google spokesman indicated it plans to make SSL encryption the default for its online applications. Google hasn’t extended SSL across all its services yet, though, and the reason given is, “We better need to understand how it affects users' search experience. . . . We expect that encrypted SSL search will slow down Google searches by a small degree, and we don’t like the idea of rolling this out to everyone before we’re able to test the performance effects.”
It’s this affect on performance that is the reason why SSL isn’t the default for connecting to websites. SSL involves a tradeoff: improved security versus cost and slower response times. The encryption process slows down the delivery of a site’s pages. A lot has to happen when using SSL, even before you get to the bulk encryption of the data that is being exchanged between the server and client. In the pre-broadband days when pages loaded slowly anyway, Web designers were reluctant to add further delays for visitors to their site by encrypting every page. (This is the reason most home pages don’t use SSL -- the designer wants you to see it as quickly as possible so you don’t lose patience and go somewhere else.) Also, most browsers don’t cache documents delivered over SSL. This would generate a lot of extra Internet traffic and pages loading more slowly as they would have to be fetched from the Web server each and every time.
In order to deliver webpages over SSL, a site needs a digital certificate. A one-year VeriSign SSL Certificate with Extended Validation costs $995 a year. That’s a lot of money for a corner store that has a static website simply to advertise its existence. Security controls should be adequate and proportionate to the identified risks so providing an SSL connection to this type of website would be completely over the top. However, for large sites with plenty of processing power and resources, there is no reason why an SSL connection shouldn’t become the default connection to the site.
This was first published in November 2011