Yeah yeah, I know some of you don't want to hear about computer stuff here. It's your forum blabla whatever.
Other should be named "Other 2" maybe? Dunno whereelse to post this.
I'm just wondering about The Internet. Nowadays you see banking sites protecting their customers with encryption (https). I was just wondering why the whole Internet isn't encrypted yet while many firms etc are complaining about hackers hacking them and many hackers setting up "Evil Twins hotspots" at airports/hotells etc while The Internet criminality is increasing dramaticly.
The goverments knows about the problem everybody knows it and encryption is THE solution. Encrypting your hdd etc.
Let me guess, is it terrorism that will cost us our privacy as a reason not the make 256 bit encryption the main Internet standard?
I would like your opinion on this matter. Please only serious posts. Not childish Prick (Pr!ck etc) reactions.

Prick.

it's most likely down to cost or something like that or maybe apple is applying pressure cause they don't like security in their software.

SyPheR,

Just on the off chance that you don't like the responses here, you could try General Networking or one of the subforums. (Apologies for the UK link but that's the only one I can get to from this machine.)

One thing is for certain: you can post wherever you like, but you cannot influence what kind of responses you are going to get, not here and not on any other forum either. If it makes you feel any better: I cannot influence that either, noone can.

Okay. Fine.

Why isn't HTTPS generally used?

Easy. Encryption/decryption places EXTRA load onto the CPU and memory of a server (or servers), and a lot thereof if you're running something decent like 256 bit or greater. This means that more expensive and powerful equipment is required to serve that site. Plus, encryption software tends to be pricey (or utter tripe, sometimes both).

Another (very minor) problem with web encryption is browser support. Older browsers may require a plug-in to allow encryption. This could add admin overhead for the webmaster(s).

Finally, if I'm a network admin in charge of a corporate network (with web/DNS/VNC/etc servers) then I'm only going to spend the time/resources/overhead on securing that which needs to be secured. I'm not going to waste time securing the site that Jimmy from Accounting put up on the corporate network detailing him/his family/friends. I mean, really, I don't give a toss what crackers are attempting to steal his family photos. I'm more fussed about crackers stealing the company financial records/Intellectual Property/other high-sensitivity data.

There are a whole slew of other reasons. Talk to a networking specialist and/or an programmer about this. Mathematicians can be helpful in understanding encryption too.

Oh, by the way, here's the llama suit, you know what to do. [/Given up]

Where's your picture?

He shaved this morning. Perfectionism can be a pain in the hind quarters.

HTTPS or SSL can cost from $150 to $10,000 a year if you go with a 3rd party verified certificate.

Its easy to setup. Install your CA, create your data file, certify it against your own CA and then import your personally verified certificate on your site.

Problem is anyone can mimic an SSL site if its not verified by a 3rd party source. If you make your own, I could copy it within a few minutes.

Thus, you have to use a 3rd party do it.. its a yearly cost. Every year you need to replace your certificate, meaning a bunch of people are going to have headaches trying to make the certificate work with their browser, or update their computers.

I deal with this with Bank of America because those f'ing morons over there can't figure out how to properly replace their certificate on their end, which ends up with a week of down time until they can figure out that they need to remove the expired certificate, then import the new certificate so people can access the site.

It comes down to money and its not really all that great of protection.

I just finished setting it up last week for a financial system.. its only good when the person connecting to the site takes the time to verify the certificate is value. Most people set their browsers to not prompt when the certificate changes - if you go from https://www.bigbank.com to a redirected https://www.bigbank.com - the fastest way to know you're not on it is to check the certificate associated.
But if that person created their own, you'll see the little green bar and gold lock in IE, or the other features of other browsers, stating you're on a certified secure site. Which one? Doesn't matter, its secure though.

Thx for the reactions guys. I appreciate it.
Never expected it to cost that much.
Is that because 256 bit encryption could also be decrypted? So they'll have to maintain different encryption methodes to keep hackers from decrypting the data?

Why not use a layered encryption that is impossible to decrypt. Much cheaper in maintainance, right?

Mugz, sure the server loads are high with all these encryption calculations but will it still be high when we are like 10 years ahead in time? CPU's are becoming more and more powerfull over the years. Maybe that would be the time where encryption will become the main standard?

Riser, I've read that long time ago about faking urls and getting redirected etc. Do you think this will always stay the main problem in secure surfing? I think the problem lies more with the Browser developers. They should make this protection option a standard once you install it.

You can already get dedicated crypto cards to use for AES encryption.

If you want safer surfing I suggest you take a look at the noscript add-on for Firefox. It stunned me just how much scripting there is out there when I first had a play with it.

secure surfing is using a well built host file. Most peps, most likely, don't even know that the OS automatically installs a host file. Its up to the person to discover all the IPs that have been cycled in a big circle. No encryption needed cheap. The tool the FBI would rather not see on the net is the best one.
currently my host has over 320 thousand IP dns that are cycled back to the open world of cyber space most of these are evil IP that steal just for the fun. Even better is hacking the system to crash, then use a good flooder so now they have a fck of a time starting back up. Most hackers are not interested in your or my computers, its the server they want and being dudez in the other we are pricks.

The noscript addin is more sensible on the browser level than full-on encryption.

No! Turn off your PC and burn it!


Hackers will steal your homes and force you to be raped by rabid goats!


Live in fear! Fear! FEEEEEAAAAARRRRRRR!!!!!


* This announcement brought to you in association with the US and UK governments *

thank christ, at least that is not as bad as rabid llamas. I would really be sh!tting it then.

The CPU usuage isn't an issue. Its 1-3% use on a webserver hosting a bunch of stuff. I'm running it on a 7 year old system without any issues. I haven't seen any issues with the CPU.. its about the same as encrypting files on your computer/server. You don't see a change.

The cost is there because the certificate issuing company insures the company for data loss and such. The idea is that you go out and download the certificate which validates against the websites. You get a public key and a private key. Its fairly secure.. especially when adding in a login - Banks have SSL and then a login. Two layers. The bank website won't let you in without the certificate stating you're on that site. Getting the certificate isn't hard.. duplicating is a matter of the person accessing the site not knowing all that they're doing. Faking the website, getting their username/password, and cross scripting to pull their bank info isn't exactly hard to do for someone skilled in webdesign. Basically, they're acting as a proxy.

As far as encryption goes, you can get a varying degree. Most of them have more insurance as the level of certificate goes up, ensuring a higher level of accuracy.

http://www.verisign.com/ssl/buy-ss [...] index.html

I had another site that offered the certs for less.

I would imagine having dedicated secure DNS servers out there for financial institutes would help increase some security. Right now you don't really know if the DNS server you're using is secured or was modified by an outside source. If you understand DNS, you can modify internet DNS addresses to point anywhere. But it won't last long since the other DNS servers are likely to over write it with a replication process - but if you're able to get onto a root DNS server and make a change, you could take over the internet DNS structure within a matter of a couple hours.

Overall, as it stands, the internet is really 'safe' for what its worth. All the so called 'insecurities' can be attributed to the people using the computer. In an overall ideal situation, everyone would know what they're doing. Since that isn't the case, SSL won't even really help all that much.

In fact, there was a time when Google was crawling on sites and was pulling people's login information and reading their emails after they've logged in. Google's gmail scans your emails when you open them. Not really secure, but people think it is.

A few years back, one would only need to poison a cookie or use SQL injection to bypass a login. When these approaches were figured out, websites were changed to not allow it. Having the SSL there keeps people from modifying anything on the outside because they're using a public key, not the private key. But you can pull the private key and hack it to recreate it to get that access, but that's just getting over simple part of the security.

Overall, https won't take over for a long time because the benefit isn't there. It'll stick with financial places but I haven't heard of any new security coming out. 256bit encruption is probably here for the next few years at least.

Too many programs out there bypass it easily.. Google and Barracuda come to mind.

As far as browsers go, IEEE has a new internet they're working on getting out. Its in the alpha stages right now, much like the internet was in the very early 90s. Its limited to only select institutions and its supposed to be a whole lot more secure and change the way webpages are done along with data transfer. I'm guessing it'll come out in the next 10-15 years for public use. I think they're keeping it mainly for institutions, governments, and military at this point. It currently has roots in the US, some countries in the EU, Japan, and Canada if I remember.. might be some others out there.

That will change a lot of the current security issues.. and when you start moving into IPv6 with increased ranges, they'll be able to divide out blocks of IPs to financial institutes, with security, that will make accessing them different.

Basically, a lot of changes coming diown the road in the next few years. The internet was never designed to do what it does today which is why the quality of data transfer is poor.

Changes are to come.. starting with IPv6 and all that good stuff.

You find it entertaining to type all that? You really need to get laid.

Madonna will do.

It's very interresting stuff, I bet he got laid while typing that.

I think he missed the money shot.