HTTPS

How much would it cost?

Are you offering to pay for it or raising the funds to cover it?

Certificates aren’t expensive. Even a “high end” cert is going to be less than $200 per year. The real “cost” is processing power on the server end as web servers “work harder” when encrypting everything. But that shouldn’t be a concern these days as it would have been 10 years ago.


Sent from my iPhone using Tapatalk Pro

If you're on amazon cloud, and use their certs with their load balancer, I think it's less than that.

Current thinking is it adds about 1% to the load.
If you choose the right cipher suites, some SSL processing can be done by the Advanced Encryption Standard (AES) dedicated instructions added to modern CPUs.
And if you're using a load balancer, you've offloaded the load completely (with an increase in latency, but no decrease in total bandwidth).

Why so confrontational?

Personally I pretty much run different passwords all kept in a ledger, Linux distro, VPN, always hardwired internet connection and max privacy settings on the browser, I'm not concerned on the lack of HTTPS for myself. I know others though likely don't do that and could very well benefit from the security.

Sorry if I seem confortational!

That was my thoughts on moving to HTTPS. And I nominate you to spearhead the project.

Using https will:
Increase the average data payload by about 80% due to the encryption; pages will load slower.
Prevent your browser from caching many elements like pictures, gifs, banners etc; pages will load slower.
Not increase the message security since this is a public forum.
Not prevent man in the middle attacks because this site's infrastructure is visible to the employees of Cloudflare in their Newark, New Jersey data center.


Don't put a bank vault door on a cardboard box to guard an orange.

I think that's false. The algorithms do a 1:1 transform in place, rather than an expand the data size. So the same bandwidth. The usual reason for expanding encrypted data is if you have to apply an encoding like BASE64 (e.g. to store in a database character field that requires printable characters), but that's not required for https encryption.

When Google went to https, they didn't buy any more servers to handle that.
Netflix also went to https. If the data was going to be larger, they obviously would be hit huge given the size of the files they move they are completely dependant upon bandwidth.



The main increase is the SSL handshake, then 1% for cpu load (both browser and server), not bandwidth.

but, http2 solved a few performance issues with https, when compared to http/1.1.
For a dramatic example, see



As stated that's false. Browsers cache static files (pictures, javascript, css, etc) based on the URL -- for both http and https.
(websites can request that static files not be cached, and browsers can be set to not cache files. The latest versions of IE default to deleting the cache whenever the browser is closed)

If you use cloudfare to do the SSL, then there's no difference in caching at cloudfare.
If you do https on your own servers, and have cloudfare in between, then cloudfare can no longer cache static files.

You're right, there's no point in encryption to protect the top secret confidentiality of the absolutely public posts.
Just the userid/password logon.

True-ish. There are a bunch of people you have to trust:
- yourself, that you didn't do something that left viruses, keystroke loggers (beyond the ones websites use), spyware, and everything else on your own computer
- the writers of {chrome, firefox, internet explorer, safari, etc} that they haven't done things that are bad
- police and three-letter-acronym companies aren't logging your stuff
- NSA, that they haven't cracked https
- the website configure person, that they aren't allowing cypher suites and TLS settings that are known to be vulnerable
- the website forum software writers
- as you say, cloudfare employees
- the certification authority (certificate vendor)
- and of course the hosting company

I don't know about cloudfare, but amazon aws went to a fair bit of trouble to ensure that their employees couldn't see what customers put on their servers -- unless customers configured their security as public.

But other than the above list of known entities, the whole point of ssl/https is that there isn't someone the website owner (e.g. jwirecom109) hasn't heard of being in the middle. PARANOIA: Filtering out disapproved pages, replacing content. Monitoring content as its created using push protocols, rather than less efficient pull protocols. Logging who sees which content.
For example, you no longer have to trust your ISP.

The cheapest certs are free. They expire every 90 days (to encourage certificate renewal automation).


I doubt they're the tiny hyper-efficient certs that google is using, and I haven't tried them myself, they're free.

Yes, I’ve used letsencrypt and another free one that pre-dates letsencrypt who’s name escapes me at the moment. When I said $200 or less I was just guessing at what a small to medium “business class” cert that the “name brand” companies like Verisign sell costs.


Sent from my iPhone using Tapatalk Pro