Can you have too much SSL?
In response to my announcement of the SSL Rating Guide, Colin Watson left an interesting comment, which I thought would be better answered here.
Perhaps getting away from the issue of SSL configuration, and more onto application design, there's a couple of areas where I feel OVER-use of SSL might be a problem:
Overuse of SSL? Having previously stated (in my Secure Browsing Mode proposal) that I'd like to see the Web become a SSL-only place, I don't think overuse is likely. In fact, given my ongoing struggle to find a hosted blog or wiki service that uses SSL properly, I'd rather see overuse than what we have now — no security at all.
1. sites that ONLY operate under SSL, and are not available without SSL, even though most of the content is public and not in any way sensitive (does this over-use undermine confidence or increase distrust is other non-SSL sites?)
Even with web sites that do not contain sensitive content (no need for confidentiality), you'd still want SSL to provide authentication (are you seeing the correct web site?) and integrity (has anyone modified content in transit?).
2. sites that are generally not SSL, but allow content to be accessed using SSL by unauthenticated users (authenticated users always being forced to use SSL)
Actually, allowing non-SSL access anywhere on a site that requires authentication at some point is very dangerous. When you access a non-SSL site you have no way of telling if you are seeing the genuine site. A MITM attacker could have intercepted your DNS queries to redirect your HTTP requests elsewhere. He could have easily modified the site's content in transit. Either way, he's in charge of what you see. Links to an SSL-enabled portion of the web site could be rewritten to plain-text access. Similarly, such links could lead to an SSL-enabled site under the attacker's control. Granted, some advanced users would detect such an attack, most most users wouldn't.
Can you have too much SSL? I don't think so.
So Ivan, this is an interesting conversation. I agree whole-heatedly on the topic, but it seems everyone else makes it difficult. In my case (and with many other 2.0 "Mashable" sites), content aggregated from content providers or advertisers has no SSL version. Even Google AdSense!! This makes it difficult to build an SSL-only site, since browser error messages about insecure content, etc become too much of a nuisance.
Posted by: Michael Menefee | July 25, 2009 at 02:19 PM
Michael, that's absolutely true. It's very difficult to do the right thing today, because large parts of the ecosystem don't know or don't care about security.
Posted by: Ivan Ristić | July 26, 2009 at 01:48 PM