所有网站应该默认使用SSL? [英] Should all sites use SSL by default?
问题描述
- 对于每个站点,SSL证书都有直接的成本。我们有一个开发环境,qa和prod环境,因此每个站点都需要三个证书。
- 对于大多数页面,内容不安全,强制SSL将使页面请求在服务器上需要更长时间,因为加密和解密
- 从我所了解的情况来看,大多数浏览器不要缓存被SSL的页面,因此页面请求将需要更长时间
- 旧版浏览器在SSL已被下载时出现问题
我没有当用户进行身份验证或请求敏感数据时强制SSL的问题。不过,我认为在所有网站上默认强制SSL是有点多。
SSL 可以禁止网络级缓存。有解决方法,但这可能意味着同一网络中的多台计算机必须重新下载页面资源。这可以增加两端的网络负载。浏览器级缓存在现代浏览器中不是问题。
SSL使所谓的虚拟域的使用复杂化。传统上为了形成SSL连接,浏览器和服务器需要使用相同的域名。这使得不可能在单个IP上托管多个SSL证书,因为服务器将使用错误的证书进行响应。 服务器名称指示(SSL使用的TLS协议的扩展)的实施已经修复了许多在这种情况下,对于纯粹的性能,对隧道数据的对称加密和完整性检查并不是非常昂贵的;如果您的服务器无法以网络速度加密和解密,那么您有上帝自己的光纤,或者您应该考虑更换i486。然而,称为握手的SSL连接的启动有点贵,并且可能意味着重负载(每秒有数百个连接数或更多)时的性能瓶颈。幸运的是,给定的浏览器实例将重用隧道和SSL会话,因此如果您只有几十个用户,这不是问题。
总的来说,将SSL看起来像一种在安全性上获得温暖的模糊感的方式。不是很好。这通常意味着通过专注于不相关的,管理员将更可能无视实际的安全问题。它们还将使系统维护更加复杂,使其难以诊断和纠正问题。请注意,从管理员的角度来看,这使得他们的工作更加安全,因为它会增加触发成本并将其更换。
We are in the process of moving our web architecture to a new environment. Included are dozens of different sites ranging from almost completely static to dynamic sites requiring authentication and containing sensitive content. Our web server admins have (without any input from the development team) decided to make it a standard in the new environment to force SSL for everything. I do not agree with this decision and would like to have as much knowledge as possible when I sit down to discuss it. Here's what I have so far:
- For each site, an SSL certificate has a direct cost. We have a dev, qa, and prod environment and thus that is three certificates that are needed for each site
- For the majority of pages, the content is not secure and forcing SSL would make the page requests take longer on the server because of encrypting and decrypting
- From what I understand, most browsers to do not cache pages that are SSL'ed and thus again, page requests will take longer
- Older browsers have problems with file downloads when they are SSL'ed
I do not have an issue with forcing SSL when users are authenticating or they are requesting sensitive data. However, I think forcing SSL by default on all sites is a bit much.
SSL can inhibit network-level caching. There are workarounds to this but it can mean that multiple computers in the same network have to re-download page resources. This can increase network load at both ends. Browser-level caching is not an issue in modern browsers.
SSL complicates usage of so-called "virtual domains". Traditionally in order to form a SSL connection the browser and server need to be working to the same domain name. This made it impossible to host more than one SSL certificate on a single IP because the server would respond with the wrong certificate. The implementations of Server Name Indication (an extension to the TLS protocol that SSL uses) has fixed many of the problems with this.
On pure performance, the symmetric encryption and integrity check on tunneled data is not very expensive; if your server cannot encrypt and decrypt at network speed, then either you have God's own optic fiber, or you should think about replacing those i486. However, the initiation of a SSL connection, known as "handshake", is a bit more expensive, and may imply a performance bottleneck on heavy loads (when there are hundreds of connections per second, or more). Fortunately, a given browser instance will reuse tunnels and SSL sessions, hence this is not a problem if you have only a few dozen users.
Overall, putting SSL everywhere looks like a way to get a "warm fuzzy feeling" on security. This is not good. This usually means that by concentrating on the irrelevant, administrators will be more likely to disregard actual security issues. They will also make the system more complex to maintain, making it more difficult to diagnose and correct problems. Note that from the administrators point of view, this makes their job more secure, since it increases the cost of firing them and replacing them.
这篇关于所有网站应该默认使用SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
