On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote:
On Tue, Sep 27, 2011 at 5:29 PM, David E. Smith <dave@mvn.net> wrote:
On Tue, Sep 27, 2011 at 17:08, Jimmy Hess <mysidia@gmail.com> wrote:
That is, HTTPs should become assumed. As much as that would be wonderful from a security standpoint, IMO it's not realistic to expect every mom-and-pop posting a personal Web site to pay extra for a static/dedicated IP address from their hosting company (even if IPv6 were widely deployed, Web hosts probably would
Thanks to TLS SNI (server name indication), a dedicated IP address is no longer necessarily, RFC 3546, 3.1.
Except when it is.
Yes, it is realistic to expect every mom-and-pop posting a personal web site to utilize a provider that implements SNI, and the sooner they do it.
No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public.
It's also realistic to expect them to buy one of those $15 SSL certificates. Heck.... 1 year .COM registration used to cost a lot more than that.
Meh... I disagree. I don't think there's any reason to encrypt web sites that don't use authentication and are not providing personally identifying information or other "secret" data. I run several web servers virtual and real on one of my systems. Some of them have SSL, some of them don't. Even the ones that have SSL don't encrypt everything. There's no reason to encrypt that which does not need encryption and it's just an extra cost in terms of server resources and client resources to do so.
We're not talking about huge recurring costs here.
That depends. If it's a popular web site that delivers a lot of content, the additional CPU horsepower just to do the cryptography and the additional power to drive it could actually be very significant. For the average mom and pop, no, it's not a huge cost, but, neither is it necessarily a cost worth bothering with. Frankly, I don't expect static (or at least static-enough) addresses to cost extra in IPv6. You can already get a /48 from Hurricane Electric for free as long as you have IPv4 access. I suspect that eventually other IPv6 providers will have to at least match that standard. Owen